Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Is 1:1 NAT good for my setup…plz a lil hlp im newbie

    Scheduled Pinned Locked Moved NAT
    6 Posts 6 Posters 3.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      robertsony
      last edited by

      I have 2 interfaces rl0=LAN and rl1=WAN
      ISP gave me this :

      IP 193.111.222.110
      Netmask 255.255.255.252 / 30
      Gateway 193.111.222.109
      DNS 193.111.111.1, 193.111.111.2
      Subnet 212.111.222.224/27
      LAN 192.168.1.0/24

      After readin a while the forums and documentation i decided to follow this setup :

      Firewall NAT 1:1 NAT

      WAN  212.111.222.225/32  192.168.1.201/32  pc1 
      WAN  212.111.222.226/32  192.168.1.202/32  pc2 
      WAN  212.111.222.227/32  192.168.1.203/32  pc3
      …...
      WAN  212.111.222.252/32  192.168.1.228/32  pc28

      Firewall Rules LAN Allow *  LAN net  *  *  *  *  Default LAN -> any

      Setup for lan machines are like pc1 IP 192.168.1.201 Gateway 192.168.1.254

      I have used until now floppyfw, small linux distribution that fitted on floppy :d, and worked fine with
      snat, dnat and still working fine but i need some traffic shaping and found pfsense to be easy and nice.

      As i read in forums 1:1 NAT should be applied only if you dont have an subnet of public ips, but i just dont get it how to do it, the examples i read were very complicated and this should be an simple task.
      Any help would be appreciated, thx

      rules.jpg
      rules.jpg_thumb

      1 Reply Last reply Reply Quote 0
      • S
        Slam
        last edited by

        Hi

        I belive what you need is VIP's set up as CARP's, well thats how I've done my setup and it works fine.

        I used these posts as guides

        [snip…]

        Add virtual IPs for all your additional IPs (I suggest using CARP, this way you can add another machine for failover later easily)

        • Add 1:1 NATs between the virtual IPs and your internal IPs
        • Add firewallrules to allow traffic (destination is your internal IP as nat is applied first and firewallrules are matched after natting)

        […snip]

        Credits to Hoba

        http://forum.pfsense.org/index.php/topic,1787.0.html

        http://forum.pfsense.org/index.php/topic,1833.0.html

        or just browse the Carp section of the forum for more tips

        http://forum.pfsense.org/index.php/board,36.0.html

        1 Reply Last reply Reply Quote 0
        • dotdashD
          dotdash
          last edited by

          You may be making it more complex than you have to. You don't really NEED VIPs and 1-1 NAT unless you are hosting a bunch of services on the pc's. Port-forwards work fine for a few services like remote access to the box, a public webserver, etc. You should be able to run pfSense on a pretty much default install (after changing your WAN to static). If you don't need to run public services on the pc's, you could even leave them DHCP. If you want to use some of the /27 ip's, I would just add them as proxy-arp or CARP VIPS and create port-forwards using them as needed.

          1 Reply Last reply Reply Quote 0
          • D
            dot_desig
            last edited by

            dotdash is right…
            And furthermore using 1:1 is a major leak in security even for linux users!
            If you're dividing services throug diferent machines there is no problem in using nat and only one port will be exposed.

            1 Reply Last reply Reply Quote 0
            • H
              hoba
              last edited by

              1:1 NAT won't automatically open everything to the public unless you create such firewallrules.

              1 Reply Last reply Reply Quote 0
              • C
                cmb
                last edited by

                As hoba said, 1:1 NAT is not a security issue unless you want to make it one. If you have as many IP's as internal servers, it's usually preferable to use 1:1 NAT over port forwarding.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.