Why NAT? Why not just Public IPs?
-
It certainly is possible to not use NAT at all and have public IP addresses on machines behind a pfsense. All you need is a routed subnet and proper configuration.
If the excessive load on your pfsense system was a factor when using NAT, then your hardware is inadequate to begin with.
-
With nat you can have multiple servers using same public ip
With nat you can have High Availability loadbalancing between servers, like http -
Of course it's possible. It's also very slightly less overhead, hence slightly higher achievable throughput on a given piece of hardware, though almost no one runs so near the maximum capacity of their hardware that it matters.
Why NAT? For the reason it was invented - the vast majority of the time, you don't have enough public IPs for all your hosts, and you commonly have hosts that don't need to be directly reachable from the Internet where having strictly a public subnet would be wasteful of limited IPs. If you'll never have more hosts than you have public IPs, skip the NAT. Generally the only networks where I see that are ISPs, and a small minority of colo networks.
-
As for protection, the firewall is what should be relied on for blocking, not NAT, and this will be more the case with IPv6. All inbound connection requests to multiple public IP addresses being dropped by the firewall looks no different to an attacker than all inbound connection requests being dropped by the firewall on a router with NAT.
-
Thanks for all replies. Since it is such a small loss in performance with NAT I might just as well go with NAT any way. Case Closed :-)
-
Great. but nobody said how to do this.. In some cases it is necessary to have public IP directly on interface. :-
Im curiuos, is it sufficient to make an additional route or maybe some NAT rules also? -
Great. but nobody said how to do this.. In some cases it is necessary to have public IP directly on interface. :-
Im curiuos, is it sufficient to make an additional route or maybe some NAT rules also?Could you create own post and give some more info about your problem. public ip directly on interface, ok, but what system?
-
i do not need create separate post… problem is still the same as in original post..
None of the previous response do not explain that
how to reroute public ip's
1. to lan network or
2. to the other network for ex. DMZ.I would like to know if it is enough to create static route in case 2 (I think it should be that simple).
but I'm not sure how to do this in case 1 when I do NAT for some devices and do not want to NAT other devices (all devices ale placed in the same physical segment) -
i do not need create separate post… problem is still the same as in original post..
Doesn't matter, it's never a good practice on any forum to hijack threads, and we do not permit it. Start a new thread.
-
hijack? are you joking?? :)
it is good practice to do not create separate post on the same topic… on every forum I know...
I can't find any logical reason to multiply the same question in my own topic, but ok.. I will not "hijack" again...
LOL... -
i do not need create separate post… problem is still the same as in original post..
None of the previous response do not explain that
how to reroute public ip's
1. to lan network or
2. to the other network for ex. DMZ.I would like to know if it is enough to create static route in case 2 (I think it should be that simple).
but I'm not sure how to do this in case 1 when I do NAT for some devices and do not want to NAT other devices (all devices ale placed in the same physical segment)I haven't done this kind of setup. I've managed to do always with NAT:ed solution.
-
mbedyn: it is hijacking as he was not asking how to do it, but the why do it at all. Routed solution is simple enough to understand. WAN has a public IP, usually a /29 or a /30. Your ISP will then route a second set of public IPs to the second available IP in the block (the first available is usually the ISP gateway). This is usually a bigger block of IPs (/29-24). Then you would use that second block of IPs on one of your protected interfaces. Then all you need to do is create rules to allow traffic to internal resources using live IPs as destinations. You could also create a bridge, but that is not really a routed solution, perhaps a half routed solution.
-
you are right.. apologies for everyone.
and about the mentioned setup, i have managed everything by myself, both solution are possible@podilarius thank you, for answer. My question was a little bit tricky, I wanted to know it is posiible to route public network to the same physical segment as LAN. ex server behind firewall has private IP on one interface and public IP on the same interface (ex. virtual interface) with only one physical connection to firewall.
And now, I know it is possible, have done this. It is needed to set static routing to public IP behind firewall via private IP.