Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    1:1 NAT vs. port forwarding - When to use each?

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 4 Posters 11.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      NickyDoes
      last edited by

      Hello. Lurker here, first post. We're a support customer with Chris and Jim.

      I searched and found this post:

      https://forum.pfsense.org/index.php?topic=79750.msg434978#msg434978

      saying 1:1 NAT is a security risk. When would I use 1:1 NAT vs. when would I use port forwarding?

      Thanks.

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        A port forward is useful if you need to expose one or two ports from a LAN server to WAN.  1:1 NAT is useful if you need to have the entire range of ports available, where every port on the WAN IP maps to the same ports on the LAN server.  That's why it's a security risk; every single port on the LAN server is exposed.

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          1:1 NAT is only a security risk because it makes it easier to accidentally allow too much traffic. The ports are not automatically exposed: 1:1 NAT maps all the external ports on that IP to the internal IP but you must still have firewall rules to allow the traffic to reach the local server.

          With proper firewall rules, 1:1 NAT is easier in cases where there are many ports and you also need outbound NAT.

          With good use of aliases, for inbound-only traffic they are roughly the same amount of work and it's mostly a matter of preference.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • KOMK
            KOM
            last edited by

            My mistake.  I had (wrongly) assumed that the firewall rules would be auto-added, or handled by some hidden Allow All to 1:1 Host rule or something like that.  Otherwise, the distinction didn't make a lot of sense to me.  Thanks for the correction.

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              Jim -

              Could you please weigh in here:  https://forum.pfsense.org/index.php?topic=82732.msg461520#msg461520

              I was pretty puzzled by the behavior I saw when I enabled 1:1 NAT across OpenVPN interfaces.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.