Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    1-1 NAT with firewalling

    Scheduled Pinned Locked Moved NAT
    2 Posts 2 Posters 3.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dshields
      last edited by

      I did some searches on the forum and didn't find the exact answer to this - but I'm sure it has a simple answer.

      I have a block of static public IP's and want to 1-1 NAT them to private IP's (need both incoming and outgoing mapping).  I read though that 1-1 entries route all packets but I want to only allow specific ports (HTTP, HTTPS, SMTP, etc) for different machines (Web servers, mail servers, etc).  Did I read this incorrectly, or is it simply a matter of deleting an "allow all" rule and adding my rules, or do I need to abandon 1-1 NAT and do it manually with port forwarding/firewalling and adavanced outbound rules (which seems more complicated).  Thanks for putting up with the simple question.

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        http://forum.pfsense.org/index.php/topic,7001.0.html

        NAT and firewall are separate rulesets.
        So yes if you delete the "allow all" rule you block everything.

        Although i dont think 1:1 NAT is easier.

        1:1 NAT approach:
        1: set the 1:1 mapping.
        2: create an alias containing all the needed ports.
        3: create a firewallrule allowing the alias for the server in question

        normal port-forward approach:
        1: create an alias containing all the needed ports.
        2: forward the alias to your server ports. The corresponding firewallrule gets autocreated.
        3: enable AoN and set the outbound mapping.

        You just the do "about" the same thing at different places.
        IMO the second is "better" because it works with NAT-reflection (see link above).
        Also you dont forward everything per default leaving the option to use a single IP for multiple Server.

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.