1:1 NAT for dummies



  • Hi !

    i am trying to understand the 1:1 NAT feature in pfsense. here is my basic configuration:

    –--------
                 red-PC---------------------192.168.10.254| pfSense |192.168.2.254------------------------green-PC
          192.168.10.250                                              ----------                                                      192.168.2.100
    GW:192.168.10.254                                                                                                           GW:192.168.2.254

    firewall: pass all red<>green
    ping between red-PC und green-PC is working.
    2.0-RELEASE (i386)

    what i understand : with 1:1 nat i can reach the green-PC by using an IP adress which is not in 192.168.10.0/24.
    on red-PC:    >ping 192.168.12.100

    ping should be replied by 192.168.2.100 - is that correct ?
    destination IP 192.168.12.100 will be mapped to destination IP 192.168.2.100

    but the ping fails ! any ideas ?

    next question:
    in the green subnet, is a PC with IP = 10.1.0.100/24
    is it possible to reach this PC from red-PC by using 1:1 NAT ?

    thanks for your support !




  • according to your network design the 192.168.12 is not a valid subnet on your LAN. Unless you setup a VIP to proxy for it, the firewall will do nothing with it but block or forward nowhere.



  • Yes !

    i added a virtual ip address-range on the red port.
    but this will not help. which type should i use ?

    It Works !
                                                                                –--------
                  red-PC---------------------192.168.10.254| pfSense |192.168.2.254------------------------green-PC

    S: 192.168.10.250  >>>>>>>>>>>>>>request >>>>>>>>>>>>>>>>>>>>>>  S: 192.168.10.250
          D: 192.168.12.100 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>    D: 192.168.2.100

    S: 192.168.12.100  <<<<<<<<<<<<<reply<<<<<<<<<<<<<<<<<<<<<<<<<  s:="" 192.168.2.100<br="">      D: 192.168.10.250  <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<  D: 192.168.10.250


    </reply<<<<<<<<<<<<<<<<<<<<<<<<< >



  • to complete this threat:
    by adding a virtual ip range (10.1.0.0/24) also on green port, and changing the 1:1 nat rule (Internal IP = 10.1.0.0/24)  the following is possible:

    red-PC–-------------------192.168.10.254| pfSense |192.168.2.254------------------------green-PC2---------green-PC
          192.168.10.250                                              ----------                                                      10.1.0.111        192.168.2.100

    ping 192.168.12.111

    S: 192.168.10.250          >>>>>>>>>>>>>>request >>>>>>>>>>>>>>>>> >>>>>  S: 192.168.10.250
          D: 192.168.12.111    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>    D: 10.1.0.111

    S: 192.168.12.111        <<<<<<<<<<<<<<<<<reply<<<<<<<<<<<<<<<<<<<<  s:="" 10.1.0.111<br="">      D: 192.168.10.250            <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<  D: 192.168.10.250

    ping 192.168.2.100

    S: 192.168.10.250  >>>>>>>>>>>>>>request >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>  S: 192.168.10.250
          D: 192.168.2.100 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>    D: 192.168.2.100

    S: 192.168.2.100  <<<<<<<<<<<<<<<<<<<<<<<<<<<<reply<<<<<<<<<<<<<<<<<<<<<<<<<<<   ="" s:="" 192.168.2.100<br="">      D: 192.168.10.250  <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<  D: 192.168.10.250

    ping 192.168.12.100 will not work</reply<<<<<<<<<<<<<<<<<<<<<<<<<<< ></reply<<<<<<<<<<<<<<<<<<<< >


Log in to reply