Should I use 1:1 NAT or no firewall for outside servers?
-
if you surf to http://whatismyip.com/ from a 1:1 NAT host, it will indicate your public IP is the same as your 1:1 NAT public IP. With a normal NAT host, it will show the public IP assigned to your firewall WAN interface regardless of any public IP you may have NAT to it.
Roy…
-
Ahhh, I didn't think about the opposite direction.
How does that affect servers? (eg. there aren't any users behind certain public ip addresses; they are only used for web servers, mail servers, etc)
-
I'm not really sure what problems if any that will cause but if someone connects to one of your hosts and the returning TCP packets coming back from that host have a different source address than the original requested address, that might cause some problems.
Roy…
-
rpsmith,
That is not an issue. The state is tracked on port forwarded traffic on VIPs and they go back out the right way.
You can setup outbound NAT to make the outbound-initiated traffic go out a VIP also, but as others have stated in the thread, 1:1 is easier, and no less secure to use on a VIP as long as you still have appropriate firewall rules.
-
You have another option: If you want to avoid NAT altogether but still want to be able to filter traffic, you can also consider bridging the WAN interface to the separate VLAN that has your internet servers.
-
Wow… lots of options.
What advice do you have for me and my situation? (re: game server)
The game server is on a dedicated VLAN and will have a public ip addresses (either assigned directly or 1:1 NAT, etc).
It looks like my options are:
- Port forwarding (SNAT)
- 1:1 NAT
- OPT interface bridged to WAN
- OPT interface routed to WAN (?)
EDIT: The one requirement I do have is to be able to connect to my game server from inside my LAN network, but for security I'm fine with accessing it via it's public ip address (so the server won't have access to my internal network, etc)
-
I do this very successfully here. In contrast I have one static IP that I use for my servers and one DHCP address Im provided by my ISP that I use for the rest of the network..
I have a virtual address (my public static IP) set up on my WAN. I port forward the incoming ports to the server I want that particular traffic to the server I want it to go to and then outbound nat rule to make the server show up on the other end as the correct IP.
-
I would avoid bridging unless your hosted service has a problem with NAT. If NATing I would use 1:1 NAT if you have enough IPs. 1:1 NAT requires a separate public IP for every private IP behind NAT.
Roy…
-
That is not an issue. The state is tracked on port forwarded traffic on VIPs and they go back out the right way.
jimp - Thanks for the clarification!
Roy…
-
If the VLANs are handled as separate networks in pfSense, then you could block traffic from the network that has your servers when your LAN is the destination.
If you want to access the servers by their public IP addresses, you could put outbound NAT rules on your LAN to translate the addresses from the server network to their public IP addresses and use port forwards on LAN to forward connections from LAN to your public IP addresses to the correct address on your server network. That may possibly require 2.0 for the needed options on the port forwards, though, which has an NAT reflection option for 1:1 mappings anyway.
-
Here's what I have so far based on the advice you have all given:
LAN is configured as vlan0 (192.168.0.1) (VLAN ID: 1)
OPT1 is configured as vlan1 (192.168.1.1) (VLAN ID: 2)Server is assigned 192.168.1.2 and has 1:1 NAT to a public ip address.
OPT1 Firewall rule: DENY OPT1 -> LAN
OPT1 Firewall rule: ALLOW OPT1 -> anyDoes that sound right? This allows my private LAN to connect to my server (using it's internal network address [192.168.1.2]), but denies connections from the server to my LAN. I'm not sure how safe this is but seems like the correct method for what I want?
(NOTE: I don't need to connect to my server using it's public ip address. I only need to be able to connect to it from my LAN).