I do not understand why this appears to be working...1:1 NAT, but no virtual IP set up
-
Hi,
A little confused by this.
I am using 1:1 NAT for several servers in a private network to public addresses.
I do not have virtual IPs set up for the NATs yet, but they all seem to work.Public IP setup:
We have a /29 block 111.111.111.192-111.111.111.199; WAN is 111.194, and the gateway is 111.193.The servers all use public IPs within a /27 block 111.111.112.224-111.111.112.255.
The ISP is making the ARP work, I assume, so that queries for 112.224-255 are told about 111.194.
LAN port is 192.168.2.1 on a /24 subnet. The LAN IPs match on the last octet, so 192.168.2.225 has a 1:1 NAT out to 111.111.112.225.
I have no virtual IPs set up for these yet, yet they respond and I have control over the ports through rules just as if I had. Is this just because the ISP is providing the ARP that otherwise the firewall would need to advertise? And if so, is this setup good, or do I need to do something else to avoid session timeout issues or whatever?
Thanks for your patience and attention.
-
@steveo said in I do not understand why this appears to be working...1:1 NAT, but no virtual IP set up:
Is this just because the ISP is providing the ARP that otherwise the firewall would need to advertise?
Not clear, what you mean with "the ISP is providing ARP".
You need the requested IP on your box, so pfSense has to respond to the ARP requests anyway.But I assume, the ISP routes the whole subnet to your primary public IP 111.194. This way the packets arrive on your WAN even if the destination IP isn't assigned to the interface.
In this case there is no need for pfSense to respond to ARP requests for the subnet, cause the IPs are not really requested, even they are the destination IPs in the packets.Yes, your setup is good, Such packets can be forwarded by NAT rules to devices within the local network without the need to assign the additional IPs to the WAN.
-
@viragomann
Perfect, thank you!