Using NAT to another Public IP



  • I will be relocating some servers from one datacentre to another which means a change of Public IP.
    Am I able to configure pfSense to NAT these original addresses to the new addresses so services will continue to work while DNS cache expires?
    I thought a normal Port Forward rule would work, however I don't think it is NAT'ing correctly and probably not having the correct source IP as it doesn't work.
    Does anyone have tips for setting the inbound and outbound NAT rules to make this work.
    It needs to NAT from the WAN interface to the WAN interface.

    Thanks
    Brent



  • There is a way to do it.  It requires a combination of a port forward and an outbound NAT rule.  I am working on code that can automatically make the outbound NAT rule for you so the port forward (or 1:1 mapping) will just work, but you can manually do it until then.

    The port forward is probably as you would expect - just set external or destination IP to the public IP you want to redirect from and target IP to the IP you want to forward it to.  The outbound rules should be set up like this:

    On the first rule to add, check "no nat" or "do not nat" (depending on which version)), select the same interface as the port forward, choose the same protocol as the port forward (if applicable), source address should be the address your other rule forwarding from with mask set to 32 (leave port blank), destination address is the address you are forwarding it to with mask set to 32, fill in the destination port with the target ports of your port forward.

    On the second outbound rule to add, leave the no nat box unchecked, select the same interface as above, choose the same protocol as the port forward (if applicable), source address should be the source network for your port forward (in this case it is "any") and leave port blank, destination address is the address you are forwarding it to with mask set to 32, fill in the destination port with the target ports of your port forward, and change translation address to the IP address you are forwarding from.

    For example, say your public IP you are forwarding from is 1.1.1.1 and you want to forward port 80 to 2.2.2.2.  Your port forward might look like this:

    Interface: WAN
    Protocol: TCP
    External address: 1.1.1.1
    External port: 80
    Target IP: 2.2.2.2
    Target port: 80

    The outbound NAT rules you would use for this port forward would look like this:

    No NAT: checked
    Interface: WAN
    Protocol: TCP
    Source address: 1.1.1.1/32
    Source port: (leave blank)
    Destination address: 2.2.2.2/32
    Destination port: 80

    No NAT: unchecked
    Interface: WAN
    Protocol: TCP
    Source address: any
    Source port: (leave blank)
    Destination address: 2.2.2.2/32
    Destination port: 80
    Translation address: 1.1.1.1

    Note that this will rewrite the source address, so your target server will not know where the forwarded traffic originally came from (if it needs to know for any reason).

    If you try this out, let me know if it works for you.

    -edit-

    After discussing with someone else, I realized another option.  If you have a VPN set up, you can forward it through the VPN instead of back out of WAN.  If you need the source address, this would definitely be the way to do it.  The downside is that your VPN would need to be able to scale to the amount of traffic that would be forwarded through.



  • Thanks for your prompt response.
    That works perfectly.
    I was adding the 2nd Outbound NAT rule.  But not the first one which disables NAT for Local traffic.
    Thank you very much for your help.
    Yes I may do a VPN, but as it is only short term I think port forwards will be much simpler.



  • Do you mean you had the 2nd one already but needed the 1st or that you added the 2nd and it made it work but the 1st caused a problem?  I'm curious because it is relevant to what I'm working on.



  • I had the 2nd outbound NAT Rule, but didn't have the first "No NAT" rule.


Locked