A quick Multi-NAT question?

  • Hi all,

    I wanted to drop by and ask if anyone knows how to setup Multi-NAT for example with my current Draytek router i have it setup like this

    LAN IP Network Configuration:

    For NAT Usage:
      1st IP Address:
      1st Subnet Mask:
    For IP Routing Usage:
      2nd IP Address: 81.XXX.26.193
      2nd Subnet Mask:

    What i would like to know is how do i set this up in pfSense? currently my servers have their NIC's setup looking at one of the IP.s from my public subnet range. I am been clicking and trying everything, but for some reason i carnt get the servers to be seen externally. Any help would be greatly appreciated ;-)

    Thanks so much.

  • This doesn't make much sense to me, need more info. A picture can say a thousand words.

    Is the public 81.x.x.x on the WAN interface?
    The private 192.x.x.x on the LAN?
    Servers on the LAN?

    Need a Forward rule for each server's service that you need to make visible on the WAN, Outside.
    You may also need a firewall rule to allow it.
    By default you have access outbound from the LAN to the WAN, but not inbound.

    pfSense documents will tell you how. The book has even more info.

  • Thats correct, yes

    For NAT Usage:
      1st IP Address: << This is the internal subnet (LAN)
      1st Subnet Mask: 
    For IP Routing Usage:
      2nd IP Address: 81.XXX.26.193 << This is my WAN range
      2nd Subnet Mask:

    However i have my server NIC cards set to look at the external (Public) subnet range.

  • The only prob with server forwarding i have is that some of my servers have licensed software on them. And when i route it in this way the license servers see the IP from my local (LAN) subnet range and not that of the actually public (WAN) IP, if that makes any sense

  • Netgate Administrator

    Do you have more than one public IP? And you want to assign these to your internal servers?

    What software is that that won't work on a private IP address?  ::) Are you sure it can't be configured to do so?


  • Thats correct, i have a block of 16 public IP's assigned by my upstream provider.

    As for the software licensing issues. I need the external vendors license servers to see the public IP, or it will error when i try and use it. You see most of the web biased software i am using, uses live license server call-backs to their servers to verify the servers license status and IP usage. If it differs to what is on my account, it will display a license error. This is due to the my server broadcasting on a local subnet, rather than my public one. Now my current setup is a Draytek Vigor 2820 router, and that has a double subnet range feature, one being the local and one being public. Now how i have configured my internal servers, is the NIC cards have the public ip i want assigned them, then the public subnet mask and then the public ip of the router it passes. I would like to upgrade to pfsense, but before i can do this i need to be able to sort the issues i have with Multi-NAT with pfSense.

  • Does anyone know how this would be done?  :)

  • Netgate Administrator

    The way this is often handled is to add virtual IP's on your wan and then use 1:1 NAT to your internal servers.


  • But you see that would mean assigning the internal server with a local ip from the local subnet rather than a public ip from the public subnet range wouldnt it?

    At this moment in time this is how my traffic is managed

    Internet >> 81.XXX.26.193 (Draytek Router) > 81.XXX.26.194 (Web Servers Public IP) > Internal Server (NIC Assigned with public IP, subnet mask and routers public IP

  • This is how i set it up and when i try and get it to go i can surf the internet ok with it but no internal traffic is able to see the internal server on its public ip

    So it looks like i have set it up ok, Now as i have fiber (BT Infinity) i have my WAN interface configured as a PPPoE dialer. This is the only way that i can do this as there are no vDSL/FTTC modems yet on the market here in the UK. Well if there is they are megga expensive. So what do i do next to get this working?

  • Netgate Administrator


    But you see that would mean assigning the internal server with a local ip from the local subnet rather than a public ip from the public subnet range wouldnt it?

    Yes but that shouldn't be a problem because traffic to/from the server externally will appear to be from whatever public IP you have set it to.

    1:1 NAT is not meant to work as you have it setup. It is supposed to tranlate public to private IPs. You will not be able to reach your servers as there is no route to reach them.

    It's possible to disable NAT altogether and route the public IPs to your server which is what you want to do. However I have no experience with that.  :-
    I would think you could achieve everything you need to using all private IPs internally.

    I have BT infinity so I understand your connection setup. You are presumably using the HG612 supplied by BT/Openreach?


  • You probably need to bridge the WAN and LAN if your servers inside have to recognize it's own IP. If you need an internal network too then add a add a second interface for it.

    I think that most use a second interface OPT1, renamed DMZ or SERVERS etc. as the Bridged interface and the LAN for a NAT internal network. The Book has some info on setting up a bridge, and I am sure there is some info online etc.

    There are some routing challenges between the networks in this senario, because you gateway is now your ISP's router and that won't know how to get to your internal LAN network.

    If you don't need a second interface then just bridge the WAN and LAN.

    Select Interfaces -> Assign: Select 'Bridges' tab and click the + in the grey box to assign the bridge. Select WAN and LAN and away you go. Only click advanced if u know what you are doing.

    Hope this helps.

Log in to reply