Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Need some help with a NAT config

    Scheduled Pinned Locked Moved
    NAT
    2
    5
    389
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      shaz1300
      last edited by

      Hi,

      I'm looking for some assistance with a config situation that I haven't had to deal with before. I've looked around on the help forums, and there is a page on the pfSense documentation with pretty much the situation I have, but It doesn't explain very well
      on how to set this up, and I could use some help.

      The page in question is here: https://docs.netgate.com/pfsense/en/latest/firewall/additional-ip-addresses.html#figure-multiple-public-ips-singleblock-diagram

      For my situation specifically, the config I need to achieve looks like this:

      Client has a Leased Line, with the following Public IPs:
      x.x.x.25/29 - Gateway
      x.x.x.26/29 - Client Side WAN Static IP
      x.x.x.27/29 -> x.x.x.30/29 - Usable IP Address'

      I need to setup the firewall to send all external traffic, directed at the x.x.x.30/29 IP
      to a single internal IP, lets say in this, an example IP of 192.168.1.1/24. The device with this IP is on it's own LAN and there are no other devices on the LAN.

      Firewalling on the pfSense side in terms of ports and specific filters isn't required here, as the device internally accepting the traffic is a firewall on a phone system, and that has all of the firewalling setup for it's specific purpose.

      The article I linked mentioned bridging and IP Alias VIP however I haven't used these functions myself and could use some help now how to make this setup work.

      Ill try to provide any info if I've missed anything that is needed.

      Thanks

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @shaz1300
        last edited by

        @shaz1300 said in Need some help with a NAT config:

        The article I linked mentioned bridging and IP Alias VIP however I haven't used these functions myself and could use some help now how to make this setup work.

        Bridging is one option in this article, using a VIP + NAT is another one.

        With a bridge, you have to assign x.x.x.30/29 to the device behind pfSense and it can communicate with the upstream gateway directly.

        As you say, your device has a private IP, you need to nat the incoming and outgoing traffic.
        Best practice would be to assign a VIP of type Proxy ARP in this case. Then add a NAT port forwarding rule to forward the desired ports. If you want to forward all, what I don't recommend, you can nat ports 1 - 65535.

        In any case you have to allow the traffic on pfSense, even if you bridge the interfaces.
        When natting, this can be done within the NAT rule by setting the rule association properly.

        S 2 Replies Last reply Reply Quote 1
        • S
          shaz1300 @viragomann
          last edited by

          @viragomann Thanks for the quick response, I'll try those config changes and see if I can get it working. Thanks for the help there, much appreciated.

          1 Reply Last reply Reply Quote 0
          • S
            shaz1300 @viragomann
            last edited by

            @viragomann Follow up on this, there is an extra rule that needs doing that will force any outbound traffic from the device on the IP192.168.1.1 that goes out of the WAN on the firewall to be NATed to have the same x.x.x.30/29 address as was forwarded to it inbound.

            I am correct in thinking this is an outbound NAT rule on Hybrid mode and setting the interface as the WAN, the source as the subnet the device is on, in this case 192.168.1.0/24, the destination as any and the NAT address as x.x.x.30?

            Im only used to this function on a watchguard as Dynamic NAT so wasn't sure if I was heading down the right path on pfSense to do the same thing.

            V 1 Reply Last reply Reply Quote 0
            • V
              viragomann @shaz1300
              last edited by

              @shaz1300 said in Need some help with a NAT config:

              Follow up on this, there is an extra rule that needs doing that will force any outbound traffic from the device on the IP192.168.1.1 that goes out of the WAN on the firewall to be NATed to have the same x.x.x.30/29 address as was forwarded to it inbound.
              I am correct in thinking this is an outbound NAT rule on Hybrid mode and setting the interface as the WAN, the source as the subnet the device is on, in this case 192.168.1.0/24, the destination as any and the NAT address as x.x.x.30?

              Yes. You didn't mention before.
              You can do this with an outbound NAT rule.
              If you want it to be applied to the single IP only you can specify this with a /32 mask.

              However, best practice instead of adding an inbound and an outbound NAT rule is setting a 1:1 rule on WAN. This does both in one.
              However, it doesn't allow any traffic. For passing inbound traffic you will have to add a firewall rule to WAN and use the internal IP of your device as destination.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.