Simple 1:1 NAT HowTo
-
For those who find it useful, this is how I implemented a simple 1:1 NAT.
Situation was I had a Public IP address that I wanted to correspond to internal private IP address.
I did not want to use port forwarding.In my example, Public IP of 92.44.66.77 was to be made to NAT to Private address of 192.168.1.100
Things you have to do to make this work:
- You need an interface for each public IP address you want to NAT.
- You need to setup a Virtual IP address for this interface
- You need to set up 1:1 NAT for this IP
- You need to create a rule to allow the port you want for this IP.
1. If you haven't already, assign the interface using option 1 on the pfSesnse console. In my case, I assigned le2 to OPT2.
2. Using the webgui, INTERFACES>OPT2
- select Enable at the top and set IP address to the public IP address you want to use and the gateway to get out onto the internet.
- save changes.
3. Using webgui, FIREWALL>NAT
- select the 1:1 tab- select '+' to add new rule and set Interface to OPT2, External Subnet to the public IP address (subnet should be 32 if it is just a single IP address you want to NAT)
- set the Internal IP to the private IP address of the host you want to reach.
- set a description for this NAT rule and SAVE.
- apply changes to the system.
4. Using webgui, FIREWALL>VIRTUAL IPs
- select Type of 'Other'
- Specify the virtual ip address as the public IP address, my case was 92.44.66.77
- save changes
- apply changes
5. Using webgui, FIREWALL>RULES
- select OPT2 tab
- select '+' to create new rule
- make sure interface is set to 'OPT2' or whatever interface name you are using for this public IP address.
- Set Destination type to 'single address' and specify the private IP address of host you want to reach, in my case 192.168.1.100
- Set the destination port range, in my cas eI wanted SSH.
- Set a description for this rule
- save changes
- apply changes
You should now be able to make an ssh connection to the public IP address on 92.44.66.77 and this should be redirected to 192.168.1.100.
(All IP addresses used here are fake and given as examples only).
Hope this helps and feel free to add any corrections.
Some wierdness I experienced when testing this was:
- I set the virtualIP type to ARP and it still worked.
- I then set the Virtual IP interface to WAN and it carried on working for awhile and then stopped.
- Everything seem to stop at one stage and I could see on the pfsense console that the OPT3 interface had been disabled.
- I got it working again by using the webgui to INTERFACES>OPT1 and disabling the interface, saving and then re-enabling the interface.