Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help me to understand NAT configuration (1:1 & Outbound + PortForward?)

    Scheduled Pinned Locked Moved NAT
    4 Posts 2 Posters 743 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      eeebbune
      last edited by

      Hello Everyone!

      I am having an issue to configure NAT from firewall and here is what I have.

      • 1:1 NAT configured,
        409248e1-ddea-4e7f-826f-c778cf940e96-image.png

      • Outbound configured for WAN/LAN respectively,

      f04f2d5b-5578-4fcb-a91f-5eebe381d2c9-image.png

      I was thinking my NAT rule has an order (1:1 NAT rule first, Outbound next), but I could NOT reach servers which has specific 1:1 NAT rule.

      When I tried to create 1:1 NAT rule to Outbound, still not accessible.

      cd5e6fa5-0229-4749-8bfd-b972ce22c7ef-image.png

      Can you tell me where did I miss?

      Thank you for the response.

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @eeebbune
        last edited by

        @eeebbune 1:1 NAT allows connections arriving on that interface (usually WAN) to an IP on an internal interface (usually LAN or DMZ).

        Outbound NAT controls how connections out from an IP address to the Internet go out. (PC on LAN connects out to a web site)

        They are completely different things.

        As to why it doesn't work, does the server have a software firewall, and if so does it allow traffic from the Internet?

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote ๐Ÿ‘ helpful posts!

        E 1 Reply Last reply Reply Quote 0
        • E
          eeebbune @SteveITS
          last edited by

          @steveits Appreciate your response.

          If I correctly understood, 1:1 NAT is matching inbound traffics to be private IP address and outbound is matching outbound traffics.

          Which means if I create 1:1 NAT to be either
          LAN (interface) - External IP(Public IP) - Internal IP(Private IP)

          or

          LAN (interface) - External IP(Public IP) - Internal IP(Private IP)
          WAN (interface) - External IP(Public IP) - Internal IP(Private IP)

          Then it would be the solution?

          Most community users recommends to configure PortForward. Would you agree with that? If so, may I ask you why?

          By the way, I have allow any to server IP with all port rules to both WAN/LAN rule tabs.

          Thank you very much.

          S 1 Reply Last reply Reply Quote 0
          • S
            SteveITS Galactic Empire @eeebbune
            last edited by

            @eeebbune 1:1 NAT forwards all ports.

            If you are trying to get to your server from LAN using the public IP address, you'll still need Reflection enabled (see "Enable NAT Reflection for 1:1 NAT"). I would get it working from outside first, then worry about the LAN.

            BTW, for 1:1 NAT you don't need to configure Outbound NAT.
            https://docs.netgate.com/pfsense/en/latest/nat/1-1.html
            "All traffic originating from that private IP address going to the Internet through the interface selected on the 1:1 NAT entry will be mapped by 1:1 NAT to the public IP address defined in the entry, overriding the Outbound NAT configuration."

            @eeebbune said in Help me to understand NAT configuration (1:1 & Outbound + PortForward?):

            allow any to server IP with all port rules to both WAN/LAN rule tabs

            If I'm reading that correctly and you've allowed all traffic to the server on WAN, when using 1:1 NAT that includes all ports, so SSH, HTTP, SMTP, FTP, NetBIOS, remote connections, etc., etc. I would really recommend against that and only allow the necessary traffic. See https://docs.netgate.com/pfsense/en/latest/nat/1-1.html#risks-of-1-1-nat

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote ๐Ÿ‘ helpful posts!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.