1-1 NAT with firewalling
dshields last edited by
I did some searches on the forum and didn't find the exact answer to this - but I'm sure it has a simple answer.
I have a block of static public IP's and want to 1-1 NAT them to private IP's (need both incoming and outgoing mapping). I read though that 1-1 entries route all packets but I want to only allow specific ports (HTTP, HTTPS, SMTP, etc) for different machines (Web servers, mail servers, etc). Did I read this incorrectly, or is it simply a matter of deleting an "allow all" rule and adding my rules, or do I need to abandon 1-1 NAT and do it manually with port forwarding/firewalling and adavanced outbound rules (which seems more complicated). Thanks for putting up with the simple question.
GruensFroeschli last edited by
NAT and firewall are separate rulesets.
So yes if you delete the "allow all" rule you block everything.
Although i dont think 1:1 NAT is easier.
1:1 NAT approach:
1: set the 1:1 mapping.
2: create an alias containing all the needed ports.
3: create a firewallrule allowing the alias for the server in question
normal port-forward approach:
1: create an alias containing all the needed ports.
2: forward the alias to your server ports. The corresponding firewallrule gets autocreated.
3: enable AoN and set the outbound mapping.
You just the do "about" the same thing at different places.
IMO the second is "better" because it works with NAT-reflection (see link above).
Also you dont forward everything per default leaving the option to use a single IP for multiple Server.