1:1 NAT block rules



  • I have 1:1 NAT between 250 public<>private IP's using Proxy Arp rather than Virtual IP. Can't seem to get a block rule to work on a 1:1 NAT IP. Are Virtual IP's required?


  • Rebel Alliance Developer Netgate

    It depends on how the subnet is routed to you.

    If the IP addresses are a part of your WAN subnet, you need to use virtual IP addresses.

    If they are a part of a block routed to your WAN subnet and not part of the WAN subnet itself, and you only need them for NAT, then you do not need virtual IP addresses.

    That said, a block rule would have nothing to do with Virtual IP addresses. You'll have to give more detail about what it is you're trying to block, the rule you've made, and how you know the traffic isn't respecting the rule. Almost always in these cases it turns out to be that the expected rule isn't matching or there may be an existing state for an open connection that needs to be killed.



  • Thanks Jimp for your reply. They are part of a block routed to my Wan, "not" part of the Wan subnet itself. So this is reassuring that Proxy Arp is ok to use and rules should work just the same. I have successfully implemented port forwarding on one of the 1:1's, works fine. Just haven't been able to block but I'll get more details and reply back. The reason I questioned full rule implementation on 1:1's using Proxy Arp was from the statement in the URL below.  Says VIP's can be used by firewall but Proxy Arp cannot bind/run services.

    I don't fully understand what is meant by "Cannot be used by the firewall itself to bind/run services." as referenced at;
    https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses#Proxy_ARP


  • Rebel Alliance Developer Netgate

    That means you can't, for example, use a proxy ARP VIP to host an OpenVPN instance or for HAProxy on the firewall itself.

    If you're using NAT, those aren't relevant.

    And if the block is routed to you, you do not need proxy ARP VIPs at all, especially if they are on the WAN interface. Remove them and you'll be better off.

    If the block is routed to you, you could even assign addresses from that block directly on the local interface (e.g. DMZ, LAN, etc) and do away with NAT entirely, unless you have more hosts on the local network than you have in the routed block.



  • Interesting.  I currently have hosted OpenVpn server via the Wan IP fine.  But can't seem to OpenVpn to the Lan which is a /23 containing a /24 and a /26 along with a few network devices on some of the IP's remaining in the /23.  So my solution is to setup a VLAN so I can gain access to OpenVpn via the Lan remotely.

    How would I assign the routed public block to private Lan IP's without 1:1 nat, static route?  Would it play nice having a /24 & /26 contained within the /23?  I have not ran across a forum post that explains how to route a public block via DMZ or LAN.

    Appreciate your help…



  • Has anyone heard that you can assign a public IP block on the LAN adapter that is assigned a static private IP address?  Jimp, you're going to have to explain that one.  They can't co-exist.


  • Rebel Alliance Developer Netgate

    They can, but that's beside the point. I meant you can use just the public addresses on LAN instead of private. Just saying it's possible, not that you'd need to or even want to do that.

    You could use both (by using IP Alias or CARP VIPs) but I wouldn't recommend mixing them in that way.



  • Your DMZ suggestion sounds like what is described @ http://lutung.lib.ums.ac.id/freebsd/pfSense/docs/dmz.html whereby the DMZ is setup on a separate adapter. How would I be better off with this?  There must be some up-side but I only see down-side, like you suggest, I couldn't have additional private hosts on the LAN to support AP's and backbone gear. And I would have to setup via the GUI 300+ VIP's rather than a couple Proxy ARP entries, not fun. What's the up-side?

    Not to mention, how would I then get the public IP's from the LAN over a trunk link through several AP's to a few hundred CPE's? I would think I would again need 1:1 Nats just placed on a different segment of the network. Or I would have to VLAN everything downstream the LAN.



  • What's the up-side?

    Isolation from your LAN.  If you have a proper DMZ and someone cracks one of your forwarded servers, they will have a very hard time making the jump to your LAN systems.  A 1:1 NAT to LAN is not a DMZ.


Log in to reply