Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Outgoing NAT for single Host

    Scheduled Pinned Locked Moved NAT
    5 Posts 3 Posters 673 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      Volans
      last edited by Volans

      Hi,

      I've a dedicated server running an ESXi and on that a virtualized pfSense. With that server I got a single public IPv4 address which is assigned the pfSense's WAN interface. In addition to that I have a public /28 subnet. The single public IPv4 is not in the /28 subnet.

      My first question is: how can that work? Because my provider gives me the single public IPv4 address as gateway for the /28 subnet.

      My second question is: whats the best way to configure this /28 subnet on the WAN interface, if I want to be able to configure explicit outgoing NAT rules for every LAN host behind my pfSense?

      First I entered the /28 subnet as "Other" under virtual IPs. With this I was able to select every single IP in an outgoing NAT rule. Unfortunately this was not the case if I created a port forwarding rule. So do I have to enter every usable IP from the /28 subnet as an "IP alias"?

      My third question is: how to configure an outgoing NAT rule for a single host? Under "Source" there is only "Any", "Network" and "This Firewall". So I chose "Network", typed in the host IP address and chose /32 as subnet. But is this the right way?

      Thanks in advance for your answers! :)

      Best regards,
      Karsten

      V DerelictD 2 Replies Last reply Reply Quote 0
      • V
        viragomann @Volans
        last edited by

        @volans said in Outgoing NAT for single Host:

        With that server I got a single public IPv4 address which is assigned the pfSense's WAN interface. In addition to that I have a public /28 subnet. The single public IPv4 is not in the /28 subnet.
        My first question is: how can that work? Because my provider gives me the single public IPv4 address as gateway for the /28 subnet.

        pfSense doesn't care about that. It requires only that the gateway IP is within one of the networks assigned to WAN (with default settings).
        It's on the providers gateway to accept the packets coming from outside the subnet.

        whats the best way to configure this /28 subnet on the WAN interface

        If the additional /28 subnet is routed to your primary IP, there is no need to assign the IPs to the interface, however it's possible even though. You can simply use the IP in a port forwarding or outbound NAT rule.

        When you assign them to the WAN, use type "IP alias". With that you get them provided in the drop-down in NAT rules.

        My third question is: how to configure an outgoing NAT rule for a single host? Under "Source" there is only "Any", "Network" and "This Firewall". So I chose "Network", typed in the host IP address and chose /32 as subnet. But is this the right way?

        It's the only one way.

        1 Reply Last reply Reply Quote 1
        • DerelictD
          Derelict LAYER 8 Netgate @Volans
          last edited by Derelict

          @volans said in Outgoing NAT for single Host:

          Hi,

          I've a dedicated server running an ESXi and on that a virtualized pfSense. With that server I got a single public IPv4 address which is assigned the pfSense's WAN interface. In addition to that I have a public /28 subnet. The single public IPv4 is not in the /28 subnet.

          My first question is: how can that work? Because my provider gives me the single public IPv4 address as gateway for the /28 subnet.

          Because the /28 is routed to you. You can do whatever you want with it. It does not need its own gateway out of itself to be routed.

          This is the best, most proper, and most flexible way to get additional IP addresses from upstream. You could even number an inside interface with it and give your hosts/VMs public addresses directly and turn off NAT for them altogether.

          https://docs.netgate.com/pfsense/en/latest/firewall/additional-ip-addresses.html#small-wan-ip-subnet-with-larger-lan-ip-subnet

          My second question is: whats the best way to configure this /28 subnet on the WAN interface, if I want to be able to configure explicit outgoing NAT rules for every LAN host behind my pfSense?

          You don't really have to configure anything to NAT on routed addresses. Other type VIPs don't really do anything but are supposed to provide placeholders in the GUI for selection (see below).

          So your question about what is best really depends on what you are doing. If you want to bind a service on the firewall to one of those addresses, like, say, an OpenVPN server, you would probably want an IP Alias VIP.

          First I entered the /28 subnet as "Other" under virtual IPs. With this I was able to select every single IP in an outgoing NAT rule. Unfortunately this was not the case if I created a port forwarding rule. So do I have to enter every usable IP from the /28 subnet as an "IP alias"?

          I'm a little lost here. When you create an Other type VIP you are not creating any actual presence on the firewall of those IP addresses. They are merely used as placeholders in address selection pulldowns for NAT, etc. There are no addresses you can bind to to run services, nothing that will respond to ping, no ARP responses, but you can use them for all NAT functions.

          Ah, I see what you're talking about. It looks like the Other /28 is not expanded into individual address selections in the port forward dialog like it is in outbound NAT. Two options to work around that that I can see:

          1. Create 16 individual /32 Other VIPs
          2. Just use "single host or alias" and enter the address out of the /28 you want to NAT to there.

          That's probably a GUI defect.

          My third question is: how to configure an outgoing NAT rule for a single host? Under "Source" there is only "Any", "Network" and "This Firewall". So I chose "Network", typed in the host IP address and chose /32 as subnet. But is this the right way?

          Yes.

          Thanks in advance for your answers! :)

          Best regards,
          Karsten

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 1
          • V
            Volans
            last edited by Volans

            Thank you both very much for your answers!

            I think, like @viragomann said, to configure them seperately as "IP alias" is the best, because with that I can find them in all (also port forwarding) pull down menues.

            Have a nice day! :)

            DerelictD 1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate @Volans
              last edited by

              @volans But they become actual IP addresses on the firewall which is unnecessary for NAT purposes. Making individual "Other" /32 VIPs will add them to the menus too without doing that.

              That's probably a GUI defect.

              This was already found and fixed in 2.6.0 snapshots.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.