Outbound 1:1 NAT



  • I just need a few internal hosts to reach out to the internet. I have a handful of public IPs that are part of the WAN network.
    Internal host - 172.16.0.254
    LAN Network - 10.154.154.1/29 (VIP)
    WAN Network - 209.99.14.196/29 (VIP)

    I want 172.16.0.254 to nat to 209.99.14.200 going outbound
    I have the static route set up so that my 172.16.0.0/24 network goes to 10.254.245.1

    What else do i need for this? If i set up this in the 1:1 nat section it kind of works. It only works in a many to 1 config. My 1:1 configs are:
    External ip - 209.99.14.96
    Internal ip - 172.16.0.254
    Destination - any

    If i try to set the destination to 209.99.14.200 it doesnt work.

    My test is trying to ping 8.8.8.8 from 172.16.0.254

    I allowed any any on both the WAN and LAN just in case it was a firewall issue.

    Do i need to set up a nat in the 'Outbound Nat' section also? Maybe i shouldnt have done it in the 1:1 section. Please help.



  • The NAT 1:1 is natting in both directions.
    So that packets from outside with destination 209.99.14.200 are forwarded to 172.16.0.254 and the source address in packets from 172.16.0.254 going out the WAN interface is translated to 209.99.14.200.

    This should work with
    External IP: 209.99.14.200
    Internal IP: Type: single host, 172.16.0.254
    Destination: any (you may restrict this rule to specific remote IPs)

    If you only want to nat outbound connections use outbound NAT.
    To do so, switch the outbound into the hybrid or manual mode and add a rule:
    Interface: WAN
    source: network, 172.16.0.254/32
    destination: any
    translation address: other subnet, 209.99.14.200/32



  • I tried that but no luck however, I ended up creating a VIP on both the primary and secondary firewalls as an IP Alias using the 209.99.14.200 on both. I then went back to the outbound nat setup as you suggested and changed the 'Translation Address' to the newly created VIP. This worked!


  • Netgate

    That is not the way to do it. You are lucky it is working since both firewalls will have the same address on their interfaces at the same time creating a duplicate IP address scenario.

    I would delete the IP Alias from the secondary and change the IP alias on the primary to be installed on the WAN CARP VIP. That will make the IP Alias follow the CARP VIP so it is only active on one node at a time and not create a conflict.

    https://www.netgate.com/docs/pfsense/book/highavailability/using-ip-aliases-to-reduce-heartbeat-traffic.html



  • Yea it started giving me issues. I ended up changing the VIP type to 'Carp' instead of 'IP Alias' on both firewalls using the same VHID group. I see the VIP on the primary firewall as Master and the one on the secondary as Backup. Should it be in the same VHID as the WAN Carp VIP? I currently have it on its own VHID.


  • Netgate

    Adding a CARP VIP on the primary should sync to the secondary via XMLRPC. If it did not something is wrong there too. If I found a system configured like that I would:

    1. Delete the IP Alias from the secondary
    2. Change the VIP from IP Alias to CARP on the primary.


  • Correct, sorry. I actually did what you mentioned above and it did sync to the secondary. Thanks.