Should I use 1:1 NAT or no firewall for outside servers?



  • I have a very small home network but I'd like to host a couple of internet servers (game server and web server most likely).

    It seems like I have two options:  1-to-1 NAT, or move the servers outside the firewall.

    1-to-1 NAT sounds nice but I'm not sure it's providing me with any benefits since it allows "open access" to the servers.  However, the disadvantage is that there is still NAT being performed (I think?) which could interfere with some game servers, etc.

    The alternative is to place the servers in front of the firewall (using VLANs) and then NAT will not be performed and each server will be assigned a public ip address.  This should allow clients (eg. game clients) to connect with the least amount of problems but might expose the server to more danger (?).

    I've attached two diagrams (one for each type of setup)…





  • Where do you get the idea that 1:1 NAT somehow disables firewalling? That's completely untrue, you can use firewall rules with 1:1 NAT just fine.



  • Doesn't 1:1 NAT map every port between the internal and external ip addresses?  (eg. every port is "open")



  • It does indeed map every port from the external address to the internal address but firewall rules  are  still applied to packets after NAT so no packets can pass unless you allow the traffic by appropriate firewall rules.



  • It sounds like 1:1 NAT is basically port forwarding (DNAT?) but with every port enabled by default.

    Why not just use DNAT (port forwarding) instead of 1:1 NAT then?



  • the public IP of a 1:1 NAT and not the firewall's WAN IP gets associated with your 1:1 NATed host.  If you have enough public IPs, 1:1 NAT is the way to go.

    Roy…



  • It is just a simpler way to configure it when it is what you want.  Yes, you could forward everything and set up an outbound NAT rule with static source ports and get the same effect.



  • Sorry about the above when I said "dynamic nat" when instead I meant static nat (port forwarding)…

    @rpsmith:

    the public IP of a 1:1 NAT and not the firewall's WAN IP gets associated with your 1:1 NATed host.  If you have enough public IPs, 1:1 NAT is the way to go.

    Doesn't port forwarding also use your additional public ip addresses?  (eg. using virtual ip addresses and proxy arp with pfsense then port forwarding specific ports to my additional addresses)

    I apologize for being confused about this.

    @Efonne:  That is how I'm thinking of it.  (eg. 1:1 NAT = default all ports forwarded and SNAT = default all ports NOT forwarded)

    I'm not sure how game servers function behind any kind of NAT though (even 1:1, etc) so I'm not sure if it's better to just place them outside the firewall but I'm not sure anybody here would know that…



  • if you surf to  http://whatismyip.com/  from a 1:1 NAT host, it will indicate your public IP is the  same as your 1:1 NAT public IP.  With a normal NAT host, it will show the public IP assigned to your firewall WAN interface regardless of any public IP you may have NAT to it.

    Roy…



  • Ahhh, I didn't think about the opposite direction.

    How does that affect servers?  (eg. there aren't any users behind certain public ip addresses; they are only used for web servers, mail servers, etc)



  • I'm not really sure what problems if any that will cause but if someone connects to one of your hosts and the returning TCP packets coming back from that host have a different source address than the original requested address, that might cause some problems.

    Roy…


  • Rebel Alliance Developer Netgate

    rpsmith,

    That is not an issue. The state is tracked on port forwarded traffic on VIPs and they go back out the right way.

    You can setup outbound NAT to make the outbound-initiated traffic go out a VIP also, but as others have stated in the thread, 1:1 is easier, and no less secure to use on a VIP as long as you still have appropriate firewall rules.



  • You have another option: If you want to avoid NAT altogether but still want to be able to filter traffic, you can also consider bridging the WAN interface to the separate VLAN that has your internet servers.



  • Wow… lots of options.

    What advice do you have for me and my situation?  (re: game server)

    The game server is on a dedicated VLAN and will have a public ip addresses (either assigned directly or 1:1 NAT, etc).

    It looks like my options are:

    1. Port forwarding (SNAT)
    2. 1:1 NAT
    3. OPT interface bridged to WAN
    4. OPT interface routed to WAN (?)

    EDIT: The one requirement I do have is to be able to connect to my game server from inside my LAN network, but for security I'm fine with accessing it via it's public ip address (so the server won't have access to my internal network, etc)



  • I do this very successfully here. In contrast I have one static IP that I use for my servers and one DHCP address Im provided by my ISP that I use for the rest of the network..

    I have a virtual address (my public static IP) set up on my WAN. I port forward the incoming ports to the server I want that particular traffic to the server I want it to go to and then outbound nat rule to make the server show up on the other end as the correct IP.



  • I would avoid bridging unless your hosted service has a problem with NAT.  If NATing I would use 1:1 NAT if you have enough IPs. 1:1 NAT requires a separate public IP for every private IP behind NAT.

    Roy…



  • @jimp:

    That is not an issue. The state is tracked on port forwarded traffic on VIPs and they go back out the right way.

    jimp - Thanks for the clarification!

    Roy…



  • If the VLANs are handled as separate networks in pfSense, then you could block traffic from the network that has your servers when your LAN is the destination.

    If you want to access the servers by their public IP addresses, you could put outbound NAT rules on your LAN to translate the addresses from the server network to their public IP addresses and use port forwards on LAN to forward connections from LAN to your public IP addresses to the correct address on your server network.  That may possibly require 2.0 for the needed options on the port forwards, though, which has an NAT reflection option for 1:1 mappings anyway.



  • Here's what I have so far based on the advice you have all given:

    LAN is configured as vlan0 (192.168.0.1) (VLAN ID: 1)
    OPT1 is configured as vlan1 (192.168.1.1) (VLAN ID: 2)

    Server is assigned 192.168.1.2 and has 1:1 NAT to a public ip address.

    OPT1 Firewall rule:  DENY OPT1 -> LAN
    OPT1 Firewall rule:  ALLOW OPT1 -> any

    Does that sound right?  This allows my private LAN to connect to my server (using it's internal network address [192.168.1.2]), but denies connections from the server to my LAN.  I'm not sure how safe this is but seems like the correct method for what I want?

    (NOTE: I don't need to connect to my server using it's public ip address.  I only need to be able to connect to it from my LAN).


Locked