Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Migrating from 1:1 NAT to bridged interfaces

    Scheduled Pinned Locked Moved NAT
    2 Posts 1 Posters 263 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      DerekZ
      last edited by DerekZ

      I tried to read the documentation on this but I'm not sure I'm understanding things correctly, so I figured I'd reach out and ask before I borked things up.

      Currently I'm only hosting machines I'm responsible for. I've got them on their own DMZ subnet, and I'm using 1:1 NAT to handle connections to those machines. Things are working great. I've got a handful of routable IP addresses there and I'm only using 2.

      Now, I'm about to start hosting for other folks again - something I haven't done in years. I'm really not comfortable bringing them in onto my DMZ. What I'd rather do is create a new VLAN, build a machine to host these other folks that lives on the new VLAN, bridge that VLAN with the WAN interface of the firewall, assign a routable IP directly to the new machine, and have the new server hosting people I don't know sitting outside my DMZ conceptually.

      So, my questions:

      • I've created the VLAN for my future bridged machine(s), and I've assigned that to an interface in pfSense. Can I just form a bridge between that new interface and my WAN without affecting existing routing?

      • I'd like to move a machine that's currently on the DMZ that's got a 1:1 NAT mapping to this new bridged interface with the routable IP address assigned directly to it. Will pfSense complain if I remove the 1:1 NAT, then have that routable IP address pop up on the bridged interface? It seems like it should work fine, but I did something like this a bit over a decade ago and I feel like I'm missing a step.

      • Will pfSense by default firewall packets destined for an interface that's bridged with the WAN, or just...you know, bridge them?

      Thanks. Not sure where my old login went.

      (Edited for clarity.)

      1 Reply Last reply Reply Quote 0
      • D
        DerekZ
        last edited by

        Maybe this is clearer: If I

        • create a new interface in pfSense
        • bridge it to the WAN interface
        • start to move routable IP addresses from 1:1 NAT (currently pointing to DMZ private addresses)
        • and place them on the bridge will this work?

        Or will pfSense freak out if IPs from a subnet are on one interface and the others are being 1:1 Natted to another interface simultaneously?

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.