1-1 NAT with firewalling

  • I did some searches on the forum and didn't find the exact answer to this - but I'm sure it has a simple answer.

    I have a block of static public IP's and want to 1-1 NAT them to private IP's (need both incoming and outgoing mapping).  I read though that 1-1 entries route all packets but I want to only allow specific ports (HTTP, HTTPS, SMTP, etc) for different machines (Web servers, mail servers, etc).  Did I read this incorrectly, or is it simply a matter of deleting an "allow all" rule and adding my rules, or do I need to abandon 1-1 NAT and do it manually with port forwarding/firewalling and adavanced outbound rules (which seems more complicated).  Thanks for putting up with the simple question.

  • http://forum.pfsense.org/index.php/topic,7001.0.html

    NAT and firewall are separate rulesets.
    So yes if you delete the "allow all" rule you block everything.

    Although i dont think 1:1 NAT is easier.

    1:1 NAT approach:
    1: set the 1:1 mapping.
    2: create an alias containing all the needed ports.
    3: create a firewallrule allowing the alias for the server in question

    normal port-forward approach:
    1: create an alias containing all the needed ports.
    2: forward the alias to your server ports. The corresponding firewallrule gets autocreated.
    3: enable AoN and set the outbound mapping.

    You just the do "about" the same thing at different places.
    IMO the second is "better" because it works with NAT-reflection (see link above).
    Also you dont forward everything per default leaving the option to use a single IP for multiple Server.

Log in to reply