NAT and transparent fw



  • Today, I have transparent firwall/network. I have public static IP range on both the WAN side and the LAN side. This is done by my ISP giving me a small "transport network" and pushing my big/real IP-range to this transport network/WAN. This works perfectly and has little administration. I just add/open IP/ports and nothing more.

    Now, I'm about to introduce a lot of more servers, that will listen to both VPN and Internet and trying to figure out the best route for this. One option is to have local private ips for all and have two networks so that I just add a public ip for 2nd interface and use pfSense as gw. For VPN-traffic (OpenVPN linux appliance), I would add a local route on ALL machines back to the VPN-source), so that both VPN and normal Internet/webservers work.

    I'm also considering just having public IP on all machines. That way, it will work mostly like today, but a bit waste of IP-addresses.

    But my customer is concerned that he can't redirect ports and change to another IP (like have one IP having traffic to different internal servers/ports). Is it at all possible (if I get an additional /24 range pushed to by transport network/same WAN port) to use NAT alongside transparent setup and use the private IPs on the inside? Or can't one transport and one NAT-network work at same port/time?



  • Would 1:1 NAT work for this? https://docs.netgate.com/pfsense/en/latest/book/nat/1-1-nat.html You could pass some traffic to servers using 1:1 NAT and the rest would share one NAT public IP. (so all devices would have private IPs)



  • Interesting, that might seem like an option. I would have to add all used IP-addresses today into virtual IP and then create a 1:1 NAT for everyone as well. So a massive list of entries compared to today. But for me it seems like an option! Is it possible to test this without fearing downtime? I mean, I assume as fast as I activate NAT, the transparent traffic will stop working at once until I have created ALL the rules for 1:1 NAT?



  • Thanks :) I struggled with not getting traffic from outside and in. But I had to spesify the local IP in the fw rules (and not the virtual one) and than it seems to work just fine with 1:1 NAT.

    Should there be any notificeable speed difference to talk about on 1:1 vs transparent?


Log in to reply