Is 1:1 NAT good for my setup…plz a lil hlp im newbie

  • I have 2 interfaces rl0=LAN and rl1=WAN
    ISP gave me this :

    Netmask / 30

    After readin a while the forums and documentation i decided to follow this setup :

    Firewall NAT 1:1 NAT

    WAN  pc1 
    WAN  pc2 
    WAN  pc3
    WAN  pc28

    Firewall Rules LAN Allow *  LAN net  *  *  *  *  Default LAN -> any

    Setup for lan machines are like pc1 IP Gateway

    I have used until now floppyfw, small linux distribution that fitted on floppy :d, and worked fine with
    snat, dnat and still working fine but i need some traffic shaping and found pfsense to be easy and nice.

    As i read in forums 1:1 NAT should be applied only if you dont have an subnet of public ips, but i just dont get it how to do it, the examples i read were very complicated and this should be an simple task.
    Any help would be appreciated, thx

  • Hi

    I belive what you need is VIP's set up as CARP's, well thats how I've done my setup and it works fine.

    I used these posts as guides


    Add virtual IPs for all your additional IPs (I suggest using CARP, this way you can add another machine for failover later easily)

    • Add 1:1 NATs between the virtual IPs and your internal IPs
    • Add firewallrules to allow traffic (destination is your internal IP as nat is applied first and firewallrules are matched after natting)


    Credits to Hoba,1787.0.html,1833.0.html

    or just browse the Carp section of the forum for more tips,36.0.html

  • You may be making it more complex than you have to. You don't really NEED VIPs and 1-1 NAT unless you are hosting a bunch of services on the pc's. Port-forwards work fine for a few services like remote access to the box, a public webserver, etc. You should be able to run pfSense on a pretty much default install (after changing your WAN to static). If you don't need to run public services on the pc's, you could even leave them DHCP. If you want to use some of the /27 ip's, I would just add them as proxy-arp or CARP VIPS and create port-forwards using them as needed.

  • dotdash is right…
    And furthermore using 1:1 is a major leak in security even for linux users!
    If you're dividing services throug diferent machines there is no problem in using nat and only one port will be exposed.

  • 1:1 NAT won't automatically open everything to the public unless you create such firewallrules.

  • As hoba said, 1:1 NAT is not a security issue unless you want to make it one. If you have as many IP's as internal servers, it's usually preferable to use 1:1 NAT over port forwarding.

Log in to reply