1 to 1 NAT for LAN subnet to WAN

  • hi all,

    got tasked with a really interesting job at work and i think i know what to do but maybe not...

    one of my LAN subnets i want to make it visible to another companys external ip address so they can connect to any host on any port, so basically its like a LAN to LAN with the internet in the middle

    they dont want to use a VPN so unfortunatley openVPN is out the question as this would have been ideal

    have you guys got any solutions for this

    if i do have to use 1 to 1 NAT what do i put in external subnet ip, do i put my WAN subnet in here?

    many thanks,

  • It is highly recommended to use a VPN for that. Otherwise the traffic could be sniffed on any node which it passes in the internet.

    Furthermore to do that with 1:1 NAT requires that you have the same numbers of public IPs as the subnet has which you want to provide access to. So if it is a /24 subnet you also need a public /24 subnet and you cannot use these public addresses for other purposes.

  • LAYER 8 Global Moderator

    @robina80 said in 1 to 1 NAT for LAN subnet to WAN:

    they dont want to use a VPN

    Who doesn't? They shouldn't be in the IT business that is for sure....

    You could create a GRE tunnel to your router, but as mentioned that would not be encrypted.. VPN is exactly how this is done "EVERYWHERE" What vpn technology is up to you be it ipsec or sure openvpn, etc.

    Are they close enough to you so you could run a wire? Or use a wireless/microwave bridge?

  • Lets say i have my

    My lan subnet
    My wan ip

    There wan
    There lan subnet

    Does both my lan and there lan do both subnets need to match for one to one nat to work

    Im on about what i put in "external subnet ip" do i put in 21 or there wan ip address

  • Only your sides WAN must have the needed numbers of IPs.

    You may use one /24 out of your /22 WAN which isn't used by other services.
    E.g., so put into the "external subnet IP" box.

  • You can do:

    1- If you have one IP public available, you can create a Virtual IP in the Firewall>Virtual IPs check IP Alias.
    - Interface = your WAN
    - Address(es) = your available IP public, with netmask.
    - Description = Any description
    - And clic on save

    2 - Now, go to Firewall>NAT>1:1 and add a new NAT 1:1
    - Interface = your WAN
    - External subnet IP = your available IP
    - Internal IP = Select the LAN net, to which you will give access permissions
    - Destination = Any
    - Description = Any description
    - NAT reflection = Use system default
    - And clic on save

    3 – Finally your client will have access to the internal LAN network segment of your company just by placing the public IP that you created in your virtual ip previously.

    Normally this process gives access to certain specific services and those are not vulnerable for the companies, so use the previous annotations according to your needs.

    I hope it is useful.

  • viragomann -

    mmm... i dont understand sorry...

    i have only this one WAN ip address assigned to me via my ISP out of there /22 range/subnet

    so do i need more than one WAN ip address for this to work, i could ask for another ip from my ISP?

    AndresCT46 -

    sounds great, i will give it a go and see what happens

    so even if i have one WAN ip address provided by my ISP, i can still create a virtual ip using the same WAN ip address

    also "destination" wouldnt this be there WAN ip address, so only they can access my LAN otherwise everyone can externally?

    thanks a lot guys i really do appreciate it!!!

  • @robina80

    Is necessary that you have a public IP available.

    You can't use your current IP WAN to generate a virtual IP, your ISP must provide you with an additional public IP.

    When you perform the exercise, please verify that in the rules of your WAN you generate the rule that allows the traffic to the destination you need, otherwise you must generate the rule, this forget to say it previously.

  • @robina80

    If you can't acquire an additional public IP, my advice is that you generate an IPSec from your pFsense to your client's UTM

  • Ok so i cant use my current wan ip of my router

    So i need to get an additional wan ip from my isp and i cqn use that to create a virtual ip?

  • When you say generate an ipsec, do you mean create an ipsec vpn

  • @robina80

    Yes, Internet Protocol Security (IPSec VPN)

  • But they would need to create an ipsec there end aswell so the two can talk to eachother ie site to site ipsec vpn

    Is there no otherway to achieve this

  • A GRE tunnel was already mentioned by jonhpoz.
    No, there is no other way than any kind of a tunnel to achieve that.

  • @robina80

    It is correct, your client must also generate an IPSec connection in your UTM to have a secure connection from LAN to LAN.

    If you intend to generate a NAT through your WAN with destination your entire LAN network, pFsense will not understand the meaning of this NAT and will simply do not anything about it, because pFsense will not have a specific destination to redirect your request.

    This is the meaning of doing a NAT, this is how pFsense enables connections from the WAN to an internal and specific query service on your LAN.

    I insist, the best option is generate IPSec in your pFsense and in the UTM of your client.

  • LAYER 8 Netgate

    You can do 1:1 NAT but since you only have one address you can only do one of them. And that will remove the ability to bind anything else on the WAN address.

    If they only want to connect to one service, you can port forward:


    As has been said above, A VPN is how this is done. That is what you should insist on. Anything else is pretty much wrong.

  • a GRE tunnel sounds interesting, how do you do that

    is that with 1 to 1 NAT or via IPsec

  • LAYER 8 Global Moderator

    Once you have a tunnel there is no need for 1:1 nat or any nat.. The tunnel is used to route the traffic to get to your network.. The whole POINT to a vpn..

    If you were going to create a tunnel - there is zero reason not to encrypt it because its going over the public internet.

Log in to reply