Why NAT? Why not just Public IPs?



  • Hi!

    Sorry if this is a stupid question but I was thinking for this for a while and hope that anybody out there has more insight in this than I have.

    Let's say I have a couple of servers connected to OPT1 on a pfsense-box with three internfaces (WAN, OPT1 for servers, and a CARP-interface).

    Now I want to give these servers at least one public IP-address each to use for services such as FTP etc.

    I know I can use NAT etc but wouldn't it be faster to skip this skep and go straight from IP to IP?

    Would it be possible to not skip the NAT-step and configure the firewall to pass packets straight through without having to translate to rfc 1918 addresses etc - wouldn't it be faster to just pass traffic straight through after inspecting each packet and evaluating the firewall rules?

    IE:

    Client -> WAN -> processing rules -> Server on OPT (with same network as WAN)

    Is this simply not possible with pfsense or is there something that I have missed?

    If not, why would this be a stupid idead to do?

    If not possible on pfsense - do you know another product that does this? (preferably open source)

    What are your opinions on this, would it be faster/better and/or more difficult/insecure/stupid etc?

    I understand that some of you think that NAT could add a slight extra "layer of security" (but it really does not in IMHO) but now I am focusing mainly on performance; The extra step with NAT must mean extra work for the hardware, more usage of memory etc?

    Wouldn't it be faster to skip NAT in this case? Is it possible to do this today with pfsense (sorry if I have missed this, I have search documents, FAQs etc etc and never seen this mentioned anywhere)? With another firewall, router or firewall distro or similar?

    An example netplan for this without NAT could look like this

    On WANs
    IP 2 Real IP-address for pfsense box #1
    IP 3 Real IP-address pfsense box #2

    On OPT1
    IP 4 CARP'd ("virtual") interface for servers?
    IP 5 Real IP-address for server #1
    IP 6 REAL IP-address for server #2
    etc.

    Today, With NAT it has to look something like this:

    Public IP #2 WAN on pfsense box 1
    Public IP #3 WAN on pfsense box 2
    Public IP #4 etc.

    (CARP
    Both boxes have to use some rfc 1918 network for the CARP interfaces
    and both boxes share a "virtual" failover/HA rfc 1918 IP-address for the "real" gateway address used by the servers.)

    OPT 1 has NAT rules, Virtual IP and firewall rules for translating the public IP-addersses to the Internal 192.168.0.x addresses for the real servers.
    internal IP #1 pfsense box 1 NIC
    internal IP #2 pfsense box 2 NIC
    internal IP #3 virtual carped gateway address used by servers
    internal IP #4 server 1 internal IF address (translated to a public IP by router/fw)
    internal IP #5 server 2 etc.

    FTP and other protocols might break and/or needs "extra configuration" because NAT is used. There is a risk that clients use the same private network which can cause conflicts etc.

    • The system resources on the firewall(s) are beeing used slightly more and they "do a little more work" since the packets needs to pass through NAT ( compared to skipping this somehow?).

    Of course in some respect NAT really IS good and should probably be used for some services on these firewalls, it might also provide a somewhat more "clear overview" at first glance, there is a risk you mix up what is on the inside and on the outside if you only use one network and some of the resources on this network are "on the outside".

    It's been quite a while since I used the larger Cisco firewalls but I think Cisco has (had?) a solution for this? I know that there used to be a pretty crappy M$ solution that actually did this many years ago but using a M$ solution is in this case out of the question, any other ideas, help and thoughts about this is greatly appreciated!

    Cheers,
    E



  • It certainly is possible to not use NAT at all and have public IP addresses on machines behind a pfsense. All you need is a routed subnet and proper configuration.

    If the excessive load on your pfsense system was a factor when using NAT, then your hardware is inadequate to begin with.



  • With nat you can have multiple servers using same public ip
    With nat you can have High Availability loadbalancing between servers, like http



  • Of course it's possible. It's also very slightly less overhead, hence slightly higher achievable throughput on a given piece of hardware, though almost no one runs so near the maximum capacity of their hardware that it matters.

    Why NAT? For the reason it was invented - the vast majority of the time, you don't have enough public IPs for all your hosts, and you commonly have hosts that don't need to be directly reachable from the Internet where having strictly a public subnet would be wasteful of limited IPs. If you'll never have more hosts than you have public IPs, skip the NAT. Generally the only networks where I see that are ISPs, and a small minority of colo networks.



  • As for protection, the firewall is what should be relied on for blocking, not NAT, and this will be more the case with IPv6.  All inbound connection requests to multiple public IP addresses being dropped by the firewall looks no different to an attacker than all inbound connection requests being dropped by the firewall on a router with NAT.



  • Thanks for all replies. Since it is such a small loss in performance with NAT I might just as well go with NAT any way. Case Closed :-)



  • Great. but nobody said how to do this.. In some cases it is necessary to have public IP directly on interface. :-
    Im curiuos, is it sufficient to make an additional route or maybe some NAT rules also?



  • @mbedyn:

    Great. but nobody said how to do this.. In some cases it is necessary to have public IP directly on interface. :-
    Im curiuos, is it sufficient to make an additional route or maybe some NAT rules also?

    Could you create own post and give some more info about your problem. public ip directly on interface, ok, but what system?



  • i do not need create separate post… problem is still the same as in original post..
    None of the previous response do not explain that
    how to reroute public ip's
    1. to lan network or
    2. to the other network for ex. DMZ.

    I would like to know if it is enough to create static route in case 2 (I think it should be that simple).
    but I'm not sure how to do this in case 1  when I do NAT for some devices and do not want to NAT other devices (all devices ale placed in the same physical segment)



  • @mbedyn:

    i do not need create separate post… problem is still the same as in original post..

    Doesn't matter, it's never a good practice on any forum to hijack threads, and we do not permit it. Start a new thread.



  • hijack? are you joking??  :)
    it is good practice to do not create separate post on the same topic… on every forum I know...
    I can't find any logical reason to multiply the same question in my own topic, but ok.. I will not "hijack" again...
    LOL...



  • @mbedyn:

    i do not need create separate post… problem is still the same as in original post..
    None of the previous response do not explain that
    how to reroute public ip's
    1. to lan network or
    2. to the other network for ex. DMZ.

    I would like to know if it is enough to create static route in case 2 (I think it should be that simple).
    but I'm not sure how to do this in case 1  when I do NAT for some devices and do not want to NAT other devices (all devices ale placed in the same physical segment)

    I haven't done this kind of setup. I've managed to do always with NAT:ed solution.



  • mbedyn: it is hijacking as he was not asking how to do it, but the why do it at all. Routed solution is simple enough to understand. WAN has a public IP, usually a /29 or a /30. Your ISP will then route a second set of public IPs to the second available IP in the block (the first available is usually the ISP gateway). This is usually a bigger block of IPs (/29-24). Then you would use that second block of IPs on one of your protected interfaces. Then all you need to do is create rules to allow traffic to internal resources using live IPs as destinations. You could also create a bridge, but that is not really a routed solution, perhaps a half routed solution.



  • you are right.. apologies for everyone.
    and about the mentioned setup, i have managed everything by myself, both solution are possible

    @podilarius thank you, for answer. My question was a little bit tricky, I wanted to know it is posiible to route public network to the same physical segment as LAN. ex server behind firewall has private IP on one interface and public IP on the same interface (ex. virtual interface) with only one physical connection to firewall.
    And now, I know it is possible, have done this. It is needed to set static routing to public IP behind firewall via private IP.


Log in to reply