1:1 NAT with single wan and multiple IP's

  • I am trying to get pfsense going for the school district I work for.  We have a single wan connection with a small subnet of public IP's.  Most of our traffic would go out the outside interface of our pfsense box's public IP.  We also have public IP's that we use for our web server, mail server, and a few other services.  I setup the 1:1 Nat but seem to be missing something.

    If anyone can help with these questions I would appreciate it.

    1. With 1:1 NAT do I also have to setup manual outgoing NAT rules?

    2. With my firewall rules I set the from address to any and the destination address to the public IP I wanted to open up certain ports for.  Is that the correct way to setup our firewall rules?  That was what I assumed but ran into a forum post where someone was setting the from to the public IP and the destination address to their internal IP.

    3. Do I also need a virtual IP setup for each of my public 1:1 NAT addresses?  I have read a bit about those but it does not seem clear to me when it is necessary.

  • You have to set up virtual ips of some sort to get 1:1 nat working. Easiest is to use proxy arp vips, one /32 proxy arp vip for each public ip you're going to use in 1:1 nat mappings. You don't need outbound nat rules if you have 1:1 nat set up.

    Another matter is whether you actually need 1:1 nat. If you dont need the public ips (other than your WAN ip) pingable from the outside you can do without 1:1 nat and use outbound nat rules and normal port forwards instead of 1:1 nat. You'll still have to set up virtual ips if you go this route.

  • So if I go with the virtual IP and 1:1 NAT would my firewall rules be correct to have "any" for the source IP and then the public IP I am using in 1:1 Nat for the destination?

  • Source address stays as usual but you have to use the internal address in the destination field because access is checked after NAT (1:1 nat in this case).

  • If the services you want accessible only use predefined ports, you could just let through only those ports instead of letting everything through to your servers.

  • KPA - everything is up and working now, thanks for the help.

    efonne - we are using the firewall rules to only allow the necessary ports in.

Log in to reply