Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    1:1 NAT with single wan and multiple IP's

    Scheduled Pinned Locked Moved NAT
    6 Posts 3 Posters 4.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      stuen93
      last edited by

      I am trying to get pfsense going for the school district I work for.  We have a single wan connection with a small subnet of public IP's.  Most of our traffic would go out the outside interface of our pfsense box's public IP.  We also have public IP's that we use for our web server, mail server, and a few other services.  I setup the 1:1 Nat but seem to be missing something.

      If anyone can help with these questions I would appreciate it.

      1. With 1:1 NAT do I also have to setup manual outgoing NAT rules?

      2. With my firewall rules I set the from address to any and the destination address to the public IP I wanted to open up certain ports for.  Is that the correct way to setup our firewall rules?  That was what I assumed but ran into a forum post where someone was setting the from to the public IP and the destination address to their internal IP.

      3. Do I also need a virtual IP setup for each of my public 1:1 NAT addresses?  I have read a bit about those but it does not seem clear to me when it is necessary.

      1 Reply Last reply Reply Quote 0
      • K
        kpa
        last edited by

        You have to set up virtual ips of some sort to get 1:1 nat working. Easiest is to use proxy arp vips, one /32 proxy arp vip for each public ip you're going to use in 1:1 nat mappings. You don't need outbound nat rules if you have 1:1 nat set up.

        Another matter is whether you actually need 1:1 nat. If you dont need the public ips (other than your WAN ip) pingable from the outside you can do without 1:1 nat and use outbound nat rules and normal port forwards instead of 1:1 nat. You'll still have to set up virtual ips if you go this route.

        1 Reply Last reply Reply Quote 0
        • S
          stuen93
          last edited by

          So if I go with the virtual IP and 1:1 NAT would my firewall rules be correct to have "any" for the source IP and then the public IP I am using in 1:1 Nat for the destination?

          1 Reply Last reply Reply Quote 0
          • K
            kpa
            last edited by

            Source address stays as usual but you have to use the internal address in the destination field because access is checked after NAT (1:1 nat in this case).

            1 Reply Last reply Reply Quote 0
            • E
              Efonnes
              last edited by

              If the services you want accessible only use predefined ports, you could just let through only those ports instead of letting everything through to your servers.

              1 Reply Last reply Reply Quote 0
              • S
                stuen93
                last edited by

                KPA - everything is up and working now, thanks for the help.

                efonne - we are using the firewall rules to only allow the necessary ports in.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.