Should I use 1:1 NAT or no firewall for outside servers?

Efonnes

It is just a simpler way to configure it when it is what you want.  Yes, you could forward everything and set up an outbound NAT rule with static source ports and get the same effect.

sofakng

Sorry about the above when I said "dynamic nat" when instead I meant static nat (port forwarding)…

@rpsmith:

the public IP of a 1:1 NAT and not the firewall's WAN IP gets associated with your 1:1 NATed host.  If you have enough public IPs, 1:1 NAT is the way to go.

Doesn't port forwarding also use your additional public ip addresses?  (eg. using virtual ip addresses and proxy arp with pfsense then port forwarding specific ports to my additional addresses)

I apologize for being confused about this.

@Efonne:  That is how I'm thinking of it.  (eg. 1:1 NAT = default all ports forwarded and SNAT = default all ports NOT forwarded)

I'm not sure how game servers function behind any kind of NAT though (even 1:1, etc) so I'm not sure if it's better to just place them outside the firewall but I'm not sure anybody here would know that…

rpsmith

if you surf to  http://whatismyip.com/  from a 1:1 NAT host, it will indicate your public IP is the  same as your 1:1 NAT public IP.  With a normal NAT host, it will show the public IP assigned to your firewall WAN interface regardless of any public IP you may have NAT to it.

Roy…

sofakng

Ahhh, I didn't think about the opposite direction.

How does that affect servers?  (eg. there aren't any users behind certain public ip addresses; they are only used for web servers, mail servers, etc)

rpsmith

I'm not really sure what problems if any that will cause but if someone connects to one of your hosts and the returning TCP packets coming back from that host have a different source address than the original requested address, that might cause some problems.

Roy…

jimp

rpsmith,

That is not an issue. The state is tracked on port forwarded traffic on VIPs and they go back out the right way.

You can setup outbound NAT to make the outbound-initiated traffic go out a VIP also, but as others have stated in the thread, 1:1 is easier, and no less secure to use on a VIP as long as you still have appropriate firewall rules.

scoop

You have another option: If you want to avoid NAT altogether but still want to be able to filter traffic, you can also consider bridging the WAN interface to the separate VLAN that has your internet servers.

sofakng

Wow… lots of options.

What advice do you have for me and my situation?  (re: game server)

The game server is on a dedicated VLAN and will have a public ip addresses (either assigned directly or 1:1 NAT, etc).

It looks like my options are:

1. Port forwarding (SNAT)
2. 1:1 NAT
3. OPT interface bridged to WAN
4. OPT interface routed to WAN (?)

EDIT: The one requirement I do have is to be able to connect to my game server from inside my LAN network, but for security I'm fine with accessing it via it's public ip address (so the server won't have access to my internal network, etc)

chpalmer

I do this very successfully here. In contrast I have one static IP that I use for my servers and one DHCP address Im provided by my ISP that I use for the rest of the network..

I have a virtual address (my public static IP) set up on my WAN. I port forward the incoming ports to the server I want that particular traffic to the server I want it to go to and then outbound nat rule to make the server show up on the other end as the correct IP.

rpsmith

I would avoid bridging unless your hosted service has a problem with NAT.  If NATing I would use 1:1 NAT if you have enough IPs. 1:1 NAT requires a separate public IP for every private IP behind NAT.

Roy…

rpsmith

@jimp:

That is not an issue. The state is tracked on port forwarded traffic on VIPs and they go back out the right way.

jimp - Thanks for the clarification!

Roy…

Efonnes

If the VLANs are handled as separate networks in pfSense, then you could block traffic from the network that has your servers when your LAN is the destination.

If you want to access the servers by their public IP addresses, you could put outbound NAT rules on your LAN to translate the addresses from the server network to their public IP addresses and use port forwards on LAN to forward connections from LAN to your public IP addresses to the correct address on your server network.  That may possibly require 2.0 for the needed options on the port forwards, though, which has an NAT reflection option for 1:1 mappings anyway.

sofakng

Here's what I have so far based on the advice you have all given:

LAN is configured as vlan0 (192.168.0.1) (VLAN ID: 1)
OPT1 is configured as vlan1 (192.168.1.1) (VLAN ID: 2)

Server is assigned 192.168.1.2 and has 1:1 NAT to a public ip address.

OPT1 Firewall rule:  DENY OPT1 -> LAN
OPT1 Firewall rule:  ALLOW OPT1 -> any

Does that sound right?  This allows my private LAN to connect to my server (using it's internal network address [192.168.1.2]), but denies connections from the server to my LAN.  I'm not sure how safe this is but seems like the correct method for what I want?

(NOTE: I don't need to connect to my server using it's public ip address.  I only need to be able to connect to it from my LAN).