Outbound 1:1 NAT

  • I just need a few internal hosts to reach out to the internet. I have a handful of public IPs that are part of the WAN network.
    Internal host -
    LAN Network - (VIP)
    WAN Network - (VIP)

    I want to nat to going outbound
    I have the static route set up so that my network goes to

    What else do i need for this? If i set up this in the 1:1 nat section it kind of works. It only works in a many to 1 config. My 1:1 configs are:
    External ip -
    Internal ip -
    Destination - any

    If i try to set the destination to it doesnt work.

    My test is trying to ping from

    I allowed any any on both the WAN and LAN just in case it was a firewall issue.

    Do i need to set up a nat in the 'Outbound Nat' section also? Maybe i shouldnt have done it in the 1:1 section. Please help.

  • The NAT 1:1 is natting in both directions.
    So that packets from outside with destination are forwarded to and the source address in packets from going out the WAN interface is translated to

    This should work with
    External IP:
    Internal IP: Type: single host,
    Destination: any (you may restrict this rule to specific remote IPs)

    If you only want to nat outbound connections use outbound NAT.
    To do so, switch the outbound into the hybrid or manual mode and add a rule:
    Interface: WAN
    source: network,
    destination: any
    translation address: other subnet,

  • I tried that but no luck however, I ended up creating a VIP on both the primary and secondary firewalls as an IP Alias using the on both. I then went back to the outbound nat setup as you suggested and changed the 'Translation Address' to the newly created VIP. This worked!

  • LAYER 8 Netgate

    That is not the way to do it. You are lucky it is working since both firewalls will have the same address on their interfaces at the same time creating a duplicate IP address scenario.

    I would delete the IP Alias from the secondary and change the IP alias on the primary to be installed on the WAN CARP VIP. That will make the IP Alias follow the CARP VIP so it is only active on one node at a time and not create a conflict.


  • Yea it started giving me issues. I ended up changing the VIP type to 'Carp' instead of 'IP Alias' on both firewalls using the same VHID group. I see the VIP on the primary firewall as Master and the one on the secondary as Backup. Should it be in the same VHID as the WAN Carp VIP? I currently have it on its own VHID.

  • LAYER 8 Netgate

    Adding a CARP VIP on the primary should sync to the secondary via XMLRPC. If it did not something is wrong there too. If I found a system configured like that I would:

    1. Delete the IP Alias from the secondary
    2. Change the VIP from IP Alias to CARP on the primary.

  • Correct, sorry. I actually did what you mentioned above and it did sync to the secondary. Thanks.