Is 1:1 NAT good for my setup…plz a lil hlp im newbie



  • I have 2 interfaces rl0=LAN and rl1=WAN
    ISP gave me this :

    IP 193.111.222.110
    Netmask 255.255.255.252 / 30
    Gateway 193.111.222.109
    DNS 193.111.111.1, 193.111.111.2
    Subnet 212.111.222.224/27
    LAN 192.168.1.0/24

    After readin a while the forums and documentation i decided to follow this setup :

    Firewall NAT 1:1 NAT

    WAN  212.111.222.225/32  192.168.1.201/32  pc1 
    WAN  212.111.222.226/32  192.168.1.202/32  pc2 
    WAN  212.111.222.227/32  192.168.1.203/32  pc3
    …...
    WAN  212.111.222.252/32  192.168.1.228/32  pc28

    Firewall Rules LAN Allow *  LAN net  *  *  *  *  Default LAN -> any

    Setup for lan machines are like pc1 IP 192.168.1.201 Gateway 192.168.1.254

    I have used until now floppyfw, small linux distribution that fitted on floppy :d, and worked fine with
    snat, dnat and still working fine but i need some traffic shaping and found pfsense to be easy and nice.

    As i read in forums 1:1 NAT should be applied only if you dont have an subnet of public ips, but i just dont get it how to do it, the examples i read were very complicated and this should be an simple task.
    Any help would be appreciated, thx




  • Hi

    I belive what you need is VIP's set up as CARP's, well thats how I've done my setup and it works fine.

    I used these posts as guides

    [snip…]

    Add virtual IPs for all your additional IPs (I suggest using CARP, this way you can add another machine for failover later easily)

    • Add 1:1 NATs between the virtual IPs and your internal IPs
    • Add firewallrules to allow traffic (destination is your internal IP as nat is applied first and firewallrules are matched after natting)

    […snip]

    Credits to Hoba

    http://forum.pfsense.org/index.php/topic,1787.0.html

    http://forum.pfsense.org/index.php/topic,1833.0.html

    or just browse the Carp section of the forum for more tips

    http://forum.pfsense.org/index.php/board,36.0.html



  • You may be making it more complex than you have to. You don't really NEED VIPs and 1-1 NAT unless you are hosting a bunch of services on the pc's. Port-forwards work fine for a few services like remote access to the box, a public webserver, etc. You should be able to run pfSense on a pretty much default install (after changing your WAN to static). If you don't need to run public services on the pc's, you could even leave them DHCP. If you want to use some of the /27 ip's, I would just add them as proxy-arp or CARP VIPS and create port-forwards using them as needed.



  • dotdash is right…
    And furthermore using 1:1 is a major leak in security even for linux users!
    If you're dividing services throug diferent machines there is no problem in using nat and only one port will be exposed.



  • 1:1 NAT won't automatically open everything to the public unless you create such firewallrules.



  • As hoba said, 1:1 NAT is not a security issue unless you want to make it one. If you have as many IP's as internal servers, it's usually preferable to use 1:1 NAT over port forwarding.


Log in to reply