Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    I do not understand why this appears to be working...1:1 NAT, but no virtual IP set up

    NAT
    2
    3
    299
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SteveO
      last edited by

      Hi,

      A little confused by this.

      I am using 1:1 NAT for several servers in a private network to public addresses.
      I do not have virtual IPs set up for the NATs yet, but they all seem to work.

      Public IP setup:
      We have a /29 block 111.111.111.192-111.111.111.199; WAN is 111.194, and the gateway is 111.193.

      The servers all use public IPs within a /27 block 111.111.112.224-111.111.112.255.

      The ISP is making the ARP work, I assume, so that queries for 112.224-255 are told about 111.194.

      LAN port is 192.168.2.1 on a /24 subnet. The LAN IPs match on the last octet, so 192.168.2.225 has a 1:1 NAT out to 111.111.112.225.

      I have no virtual IPs set up for these yet, yet they respond and I have control over the ports through rules just as if I had. Is this just because the ISP is providing the ARP that otherwise the firewall would need to advertise? And if so, is this setup good, or do I need to do something else to avoid session timeout issues or whatever?

      Thanks for your patience and attention.

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @SteveO
        last edited by

        @steveo said in I do not understand why this appears to be working...1:1 NAT, but no virtual IP set up:

        Is this just because the ISP is providing the ARP that otherwise the firewall would need to advertise?

        Not clear, what you mean with "the ISP is providing ARP".
        You need the requested IP on your box, so pfSense has to respond to the ARP requests anyway.

        But I assume, the ISP routes the whole subnet to your primary public IP 111.194. This way the packets arrive on your WAN even if the destination IP isn't assigned to the interface.
        In this case there is no need for pfSense to respond to ARP requests for the subnet, cause the IPs are not really requested, even they are the destination IPs in the packets.

        Yes, your setup is good, Such packets can be forwarded by NAT rules to devices within the local network without the need to assign the additional IPs to the WAN.

        S 1 Reply Last reply Reply Quote 1
        • S
          SteveO @viragomann
          last edited by

          @viragomann
          Perfect, thank you!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.