Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Outbound 1:1 NAT

    Scheduled Pinned Locked Moved NAT
    7 Posts 3 Posters 767 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      joelt
      last edited by

      I just need a few internal hosts to reach out to the internet. I have a handful of public IPs that are part of the WAN network.
      Internal host - 172.16.0.254
      LAN Network - 10.154.154.1/29 (VIP)
      WAN Network - 209.99.14.196/29 (VIP)

      I want 172.16.0.254 to nat to 209.99.14.200 going outbound
      I have the static route set up so that my 172.16.0.0/24 network goes to 10.254.245.1

      What else do i need for this? If i set up this in the 1:1 nat section it kind of works. It only works in a many to 1 config. My 1:1 configs are:
      External ip - 209.99.14.96
      Internal ip - 172.16.0.254
      Destination - any

      If i try to set the destination to 209.99.14.200 it doesnt work.

      My test is trying to ping 8.8.8.8 from 172.16.0.254

      I allowed any any on both the WAN and LAN just in case it was a firewall issue.

      Do i need to set up a nat in the 'Outbound Nat' section also? Maybe i shouldnt have done it in the 1:1 section. Please help.

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        The NAT 1:1 is natting in both directions.
        So that packets from outside with destination 209.99.14.200 are forwarded to 172.16.0.254 and the source address in packets from 172.16.0.254 going out the WAN interface is translated to 209.99.14.200.

        This should work with
        External IP: 209.99.14.200
        Internal IP: Type: single host, 172.16.0.254
        Destination: any (you may restrict this rule to specific remote IPs)

        If you only want to nat outbound connections use outbound NAT.
        To do so, switch the outbound into the hybrid or manual mode and add a rule:
        Interface: WAN
        source: network, 172.16.0.254/32
        destination: any
        translation address: other subnet, 209.99.14.200/32

        1 Reply Last reply Reply Quote 0
        • J
          joelt
          last edited by

          I tried that but no luck however, I ended up creating a VIP on both the primary and secondary firewalls as an IP Alias using the 209.99.14.200 on both. I then went back to the outbound nat setup as you suggested and changed the 'Translation Address' to the newly created VIP. This worked!

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            That is not the way to do it. You are lucky it is working since both firewalls will have the same address on their interfaces at the same time creating a duplicate IP address scenario.

            I would delete the IP Alias from the secondary and change the IP alias on the primary to be installed on the WAN CARP VIP. That will make the IP Alias follow the CARP VIP so it is only active on one node at a time and not create a conflict.

            https://www.netgate.com/docs/pfsense/book/highavailability/using-ip-aliases-to-reduce-heartbeat-traffic.html

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • J
              joelt
              last edited by

              Yea it started giving me issues. I ended up changing the VIP type to 'Carp' instead of 'IP Alias' on both firewalls using the same VHID group. I see the VIP on the primary firewall as Master and the one on the secondary as Backup. Should it be in the same VHID as the WAN Carp VIP? I currently have it on its own VHID.

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Adding a CARP VIP on the primary should sync to the secondary via XMLRPC. If it did not something is wrong there too. If I found a system configured like that I would:

                1. Delete the IP Alias from the secondary
                2. Change the VIP from IP Alias to CARP on the primary.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • J
                  joelt
                  last edited by

                  Correct, sorry. I actually did what you mentioned above and it did sync to the secondary. Thanks.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.