Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Should I use 1:1 NAT or no firewall for outside servers?

    Scheduled Pinned Locked Moved NAT
    19 Posts 7 Posters 7.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sofakng
      last edited by

      I have a very small home network but I'd like to host a couple of internet servers (game server and web server most likely).

      It seems like I have two options:  1-to-1 NAT, or move the servers outside the firewall.

      1-to-1 NAT sounds nice but I'm not sure it's providing me with any benefits since it allows "open access" to the servers.  However, the disadvantage is that there is still NAT being performed (I think?) which could interfere with some game servers, etc.

      The alternative is to place the servers in front of the firewall (using VLANs) and then NAT will not be performed and each server will be assigned a public ip address.  This should allow clients (eg. game clients) to connect with the least amount of problems but might expose the server to more danger (?).

      I've attached two diagrams (one for each type of setup)…
      No_Firewall.png
      No_Firewall.png_thumb
      1_to_1_NAT.png
      1_to_1_NAT.png_thumb

      1 Reply Last reply Reply Quote 0
      • K
        kpa
        last edited by

        Where do you get the idea that 1:1 NAT somehow disables firewalling? That's completely untrue, you can use firewall rules with 1:1 NAT just fine.

        1 Reply Last reply Reply Quote 0
        • S
          sofakng
          last edited by

          Doesn't 1:1 NAT map every port between the internal and external ip addresses?  (eg. every port is "open")

          1 Reply Last reply Reply Quote 0
          • K
            kpa
            last edited by

            It does indeed map every port from the external address to the internal address but firewall rules  are  still applied to packets after NAT so no packets can pass unless you allow the traffic by appropriate firewall rules.

            1 Reply Last reply Reply Quote 0
            • S
              sofakng
              last edited by

              It sounds like 1:1 NAT is basically port forwarding (DNAT?) but with every port enabled by default.

              Why not just use DNAT (port forwarding) instead of 1:1 NAT then?

              1 Reply Last reply Reply Quote 0
              • R
                rpsmith
                last edited by

                the public IP of a 1:1 NAT and not the firewall's WAN IP gets associated with your 1:1 NATed host.  If you have enough public IPs, 1:1 NAT is the way to go.

                Roy…

                1 Reply Last reply Reply Quote 0
                • E
                  Efonnes
                  last edited by

                  It is just a simpler way to configure it when it is what you want.  Yes, you could forward everything and set up an outbound NAT rule with static source ports and get the same effect.

                  1 Reply Last reply Reply Quote 0
                  • S
                    sofakng
                    last edited by

                    Sorry about the above when I said "dynamic nat" when instead I meant static nat (port forwarding)…

                    @rpsmith:

                    the public IP of a 1:1 NAT and not the firewall's WAN IP gets associated with your 1:1 NATed host.  If you have enough public IPs, 1:1 NAT is the way to go.

                    Doesn't port forwarding also use your additional public ip addresses?  (eg. using virtual ip addresses and proxy arp with pfsense then port forwarding specific ports to my additional addresses)

                    I apologize for being confused about this.

                    @Efonne:  That is how I'm thinking of it.  (eg. 1:1 NAT = default all ports forwarded and SNAT = default all ports NOT forwarded)

                    I'm not sure how game servers function behind any kind of NAT though (even 1:1, etc) so I'm not sure if it's better to just place them outside the firewall but I'm not sure anybody here would know that…

                    1 Reply Last reply Reply Quote 0
                    • R
                      rpsmith
                      last edited by

                      if you surf to  http://whatismyip.com/  from a 1:1 NAT host, it will indicate your public IP is the  same as your 1:1 NAT public IP.  With a normal NAT host, it will show the public IP assigned to your firewall WAN interface regardless of any public IP you may have NAT to it.

                      Roy…

                      1 Reply Last reply Reply Quote 0
                      • S
                        sofakng
                        last edited by

                        Ahhh, I didn't think about the opposite direction.

                        How does that affect servers?  (eg. there aren't any users behind certain public ip addresses; they are only used for web servers, mail servers, etc)

                        1 Reply Last reply Reply Quote 0
                        • R
                          rpsmith
                          last edited by

                          I'm not really sure what problems if any that will cause but if someone connects to one of your hosts and the returning TCP packets coming back from that host have a different source address than the original requested address, that might cause some problems.

                          Roy…

                          1 Reply Last reply Reply Quote 0
                          • jimpJ
                            jimp Rebel Alliance Developer Netgate
                            last edited by

                            rpsmith,

                            That is not an issue. The state is tracked on port forwarded traffic on VIPs and they go back out the right way.

                            You can setup outbound NAT to make the outbound-initiated traffic go out a VIP also, but as others have stated in the thread, 1:1 is easier, and no less secure to use on a VIP as long as you still have appropriate firewall rules.

                            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                            Need help fast? Netgate Global Support!

                            Do not Chat/PM for help!

                            1 Reply Last reply Reply Quote 0
                            • S
                              scoop
                              last edited by

                              You have another option: If you want to avoid NAT altogether but still want to be able to filter traffic, you can also consider bridging the WAN interface to the separate VLAN that has your internet servers.

                              1 Reply Last reply Reply Quote 0
                              • S
                                sofakng
                                last edited by

                                Wow… lots of options.

                                What advice do you have for me and my situation?  (re: game server)

                                The game server is on a dedicated VLAN and will have a public ip addresses (either assigned directly or 1:1 NAT, etc).

                                It looks like my options are:

                                1. Port forwarding (SNAT)
                                2. 1:1 NAT
                                3. OPT interface bridged to WAN
                                4. OPT interface routed to WAN (?)

                                EDIT: The one requirement I do have is to be able to connect to my game server from inside my LAN network, but for security I'm fine with accessing it via it's public ip address (so the server won't have access to my internal network, etc)

                                1 Reply Last reply Reply Quote 0
                                • chpalmerC
                                  chpalmer
                                  last edited by

                                  I do this very successfully here. In contrast I have one static IP that I use for my servers and one DHCP address Im provided by my ISP that I use for the rest of the network..

                                  I have a virtual address (my public static IP) set up on my WAN. I port forward the incoming ports to the server I want that particular traffic to the server I want it to go to and then outbound nat rule to make the server show up on the other end as the correct IP.

                                  Triggering snowflakes one by one..
                                  Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                                  1 Reply Last reply Reply Quote 0
                                  • R
                                    rpsmith
                                    last edited by

                                    I would avoid bridging unless your hosted service has a problem with NAT.  If NATing I would use 1:1 NAT if you have enough IPs. 1:1 NAT requires a separate public IP for every private IP behind NAT.

                                    Roy…

                                    1 Reply Last reply Reply Quote 0
                                    • R
                                      rpsmith
                                      last edited by

                                      @jimp:

                                      That is not an issue. The state is tracked on port forwarded traffic on VIPs and they go back out the right way.

                                      jimp - Thanks for the clarification!

                                      Roy…

                                      1 Reply Last reply Reply Quote 0
                                      • E
                                        Efonnes
                                        last edited by

                                        If the VLANs are handled as separate networks in pfSense, then you could block traffic from the network that has your servers when your LAN is the destination.

                                        If you want to access the servers by their public IP addresses, you could put outbound NAT rules on your LAN to translate the addresses from the server network to their public IP addresses and use port forwards on LAN to forward connections from LAN to your public IP addresses to the correct address on your server network.  That may possibly require 2.0 for the needed options on the port forwards, though, which has an NAT reflection option for 1:1 mappings anyway.

                                        1 Reply Last reply Reply Quote 0
                                        • S
                                          sofakng
                                          last edited by

                                          Here's what I have so far based on the advice you have all given:

                                          LAN is configured as vlan0 (192.168.0.1) (VLAN ID: 1)
                                          OPT1 is configured as vlan1 (192.168.1.1) (VLAN ID: 2)

                                          Server is assigned 192.168.1.2 and has 1:1 NAT to a public ip address.

                                          OPT1 Firewall rule:  DENY OPT1 -> LAN
                                          OPT1 Firewall rule:  ALLOW OPT1 -> any

                                          Does that sound right?  This allows my private LAN to connect to my server (using it's internal network address [192.168.1.2]), but denies connections from the server to my LAN.  I'm not sure how safe this is but seems like the correct method for what I want?

                                          (NOTE: I don't need to connect to my server using it's public ip address.  I only need to be able to connect to it from my LAN).

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.