Does not really understand 1:1 NAT

sorhol

Fairly new to pfsense, so forgive me if this is a trivial question

I have 5 public IPs (1.1.1.94, 1.1.1.95, 1.1.1.96, 1.1.1.97, 1.1.98)
My gateway provided from my ISP is 1.1.1.93/29
I have 3 VLANS with serveral internal IPs, but 10.0.10.100 is used for a NAS and 10.0.10.200 is used for a server (both in VLAN10)

I set up WAN = 1.1.1.94/29
I set sup VIPs 1.1.1.95/29, 1.1.1.96/29, 1.1.1.97/29, 1.1.1.98/29

I did a 1:1 NAT for 1.1.1.95 => 10.0.10.100
And 1:1 NAT for 1.1.1.96 => 10.0.10.200

I added all necessary NAT Port Forwards (under Firewall + NAT). Like: Destination 1.1.1.95 => Port80 => 1.0.10.100 and 1.1.1.96 to Port80 => 1.0.10.200

Everything seemed OK, but then I got an error for me nightly Rsync job on the NAS (1.1.10.100) and discovered there were NO outbound access to internet.
Then I removed the 2 1:1 NAT and now everything is working as it should….

Of course nice it is working, but I dont understand about the 1:1 NAT. I thought I was suppose to use this in combantion with the VIP for my external  IPs. And I simply dont understand why it was NOT working with the 1:1 NAT enabled.

Would greatly appreciate if anyone could point out to me where I lost it.... :)

TIA

kejianshi

I'd need to see the interface config for the WAN, the actual VIP interface configs, your firewall rules that are either allowing or block access between the LAN/VLANs/WAN/ various IPs etc.

Probably also need to take a look at the various Manual Outbound NAT rules that you probably never created and thus broke your states…

Also, what version of pfsense?

sorhol

Thank you so much for helping.
My setup are just for home/hobby use. I just want to learn and understand more about this.
So I am aware that I currently have no restrictions to my VLANS (all are configured like VLAN10 = allow everything).

kejianshi

Wow…  Look at all those outbound NAT rules.... ;D

sorhol

Sorry I am not really sure - do you want me to post the outbound rules?

kejianshi

If you have multiple public IPs and are using a bridged connection with VLANs, you probably need Manual outbound NAT.  This becomes particularly simple to manage if you have two LANs created and the servers are on 1 and the normal use LAN is another.  Otherwise you should be able to make Outbound NAT rules that map a particular single server IP, a /32, to a particular VIP.  Pfsense needs to know what public IP you want your servers (and everything) to use when they hit the web, otherwise they will probably just try the default WAN IP.

Making 1:1 totally solves where the inbound traffic from the various public IPs should go.
Manual Outbound NAT solves sorta the same problem when the traffic originates on pfsense  > outward.

sorhol

HI kejianshi,
Thank you very much. I will look into this.

And just to make sure I understand…. These missing manual NAT rules are also the reason why my 1:1 NAT did not work?

Great! I really enjoy getting to know and understand these things.

THANKS!

kejianshi

I think so.  I don't need those rules here because I use a single IP.
And the multi-IP I worked with last had multiple WAN interfaces not VIPs so it worked fine with or without 1:1 and with or without Manual Outbound NAT.
But I think yours might require it.  Yeah.

Maybe someone will chime in to tell you a better way.  ::)

dotdash

Just a hunch, but try using proxy-arp or carp for your virtual IPs and then try the 1-1 NAT again.

sorhol

Well I managed to get it to work with 1:1 NAT using VIP (as IP Alias) and I just sat the firewall rules (for 1.1.1.195).