1-1 NAT with firewalling
-
I did some searches on the forum and didn't find the exact answer to this - but I'm sure it has a simple answer.
I have a block of static public IP's and want to 1-1 NAT them to private IP's (need both incoming and outgoing mapping). I read though that 1-1 entries route all packets but I want to only allow specific ports (HTTP, HTTPS, SMTP, etc) for different machines (Web servers, mail servers, etc). Did I read this incorrectly, or is it simply a matter of deleting an "allow all" rule and adding my rules, or do I need to abandon 1-1 NAT and do it manually with port forwarding/firewalling and adavanced outbound rules (which seems more complicated). Thanks for putting up with the simple question.
-
http://forum.pfsense.org/index.php/topic,7001.0.html
NAT and firewall are separate rulesets.
So yes if you delete the "allow all" rule you block everything.Although i dont think 1:1 NAT is easier.
1:1 NAT approach:
1: set the 1:1 mapping.
2: create an alias containing all the needed ports.
3: create a firewallrule allowing the alias for the server in questionnormal port-forward approach:
1: create an alias containing all the needed ports.
2: forward the alias to your server ports. The corresponding firewallrule gets autocreated.
3: enable AoN and set the outbound mapping.You just the do "about" the same thing at different places.
IMO the second is "better" because it works with NAT-reflection (see link above).
Also you dont forward everything per default leaving the option to use a single IP for multiple Server.