1-1NAT, newbie questions



  • First off, I really like pfSense so far. A lot better than IPCop which I'm coming from.

    This is building off the network I described: http://forum.pfsense.org/index.php/topic,4289.0.html

    NAT in pfSense has me very confused. I have a lot of things I need to set up, so I want to make sure I do this correctly.

    Let's assume I have 3 webservers, and a mailserver - all on 10.100.0.0. pfSense's LAN is on 10.200.0.0. pfSense has static routes to 10.100.0.0 through a Cisco.

    200.200.200.1 is the WAN address for Webserver 1
    200.200.200.2 is the WAN address for Webserver 2
    200.200.200.3 is the WAN address for Webserver 3
    200.200.200.10 is the WAN address for Mailserver (all fake IPs, for examples)
    Each need to have traffic passed to a 10.100.0.1, 10.100.0.2, etc. address respectively

    My understanding is I need to:

    1. Create VIPs for each WAN address
    2. Setup 1:1 NAT to link each WAN and LAN address
    3. Setup rules on WAN to pass traffic to LAN

    Is this correct? Thanks!



  • hey if you want to do a 1:1 NAT, first you need external ips for all the machines you're going to have internally.
    second you need to setup some virtual ips and set them as proxy arp

    thirdly, go to firewall->NAT->1:1

    and setup your external ip to an internal ip like such

    WAN  66.11.117.177/32  192.168.0.10/32

    hope this helps



  • Only specific machines get 1-1 NAT. So does this mean I have the wrong idea?

    I have 1-1NAT for my mailserver setup like you say (I have external IPs)
    I have a Proxy ARP setup for the mailserver. (WAN, single address, external IP)

    With this configuration the mailserver cannot ping to the outside world, nor can the outside world connect in.



  • Okay, so the Mailserver is still not working. Can't connect to it from the outside, and it cannot ping out (this one I can't understand at all!)






    Any ideas? (Mailserver is currently pingable, if you tried, because we're using our old firewall solution. I transition pfsense into place during off-hours for testing)



  • You do not need a port forward for a 1:1 host.  You simply need a firewall rule to permit the traffic since the firewall already does a 1:1 IP mapping.



  • So, other than that it appears I'm doing this correctly? Would the port forward cause this to not work, or is it merely "not needed"? Because I'm not doing something right!

    Entire LAN (remote through routes, and local) can access WAN. However Mailserver, which is on remote LAN, cannot. What could the problem be?



  • hey, like sullrich said when you're doing 1:1 nat you no longer need individual port forwarding as it will forward all ports to that machine. however, you do need to tell the firewall what traffic to allow through to that machine.



  • You should remove that rule on your LAN allowing source traffic from 64.x.x.x IP's, your LAN will never see traffic from that subnet.

    Aside from that, everything else looks fine. My first guess at the problem is an ARP cache upstream of you somewhere. If you have access to your perimeter router, or whatever is upstream from you, clear its ARP cache or power cycle it. If this is a DSL or cable connection, power cycle your modem to see if that makes any difference.



  • I am having a similar problem like this. I set the VIP's, set NAT 1:1 for the servers, and  added the rules and had some trouble but it started working. Then the system went down do to a power supply failure and when I got it back up, it wouldn't work any more. I even redid pfSenses (formatted, reinstalled and manually configured) and it still doesn't work. Talked to the ISP and even had someone come out to check the equipment (don't have access to it). Had them reset the arp tables and still nothing. A friend said they are using pf and 1:1 without VIP, so I tried that and still doesn't work. The servers have been down for the weekend, which is very very bad, and I need to get this fixed ASAP. I have submitted pictures of the config and everyone says it is OK, habo mostly, but still not working. Anyone have an ideas? It seems like it is at pf and it has to be with the rules, VIP, or 1:1. Here are the pictures of 1:1 and VIP. Sorry if this is double.






  • Here are the rules. It was too big to post with the others.




  • Alright. Mine IS working now. I removed the Port Forwarding rule, rebooted all switches and the router upstream from me, and things seem to be working well. Thanks!



  • I have similar problem. I can't do NAT on WAN2.
    On WAN it worked all the time but for WAN wan't  :(
    If I set it I allways have WAN IP.
    I do VIP's as Proxy ARP, CARP but it never worked.
    I try to set WAN2 ip as default route for few machines on LAN. Can somebody knows how to set this?


Log in to reply