Adding 1:1 NAT to existing NAT-Rules



  • Hi,

    we're using pfsense for about 1 or 2 years now and have multiple Public IPs with several port forwardings and rules created. Everything is working fine.

    For outgoing traffic, we have only one Public IP and now want to have a second one.

    As I understand, I have to set a 1:1 NAT for one of our public IPs, which then can only be used for the set internal IP address for incoming traffic and Traffic coming from that internal IP, pfsense would send over the set external IP. Is this the correct approach?
    All public IPs are set as Virtual IPs in pfsense.

    Does this approach interfere in any kind with existing NAT rules if we use a Virtual IP, that isn't used in any NAT rule? With NAT rules I mean the rule list in Firewall:NAT:Port Forward.

    To be clear what we want to have:
    At the moment, we have about 15 public IPs with several Port Forwardings. Our outgoing traffic all runs over only one public IP, lets assume this is 1.2.3.4. For one internal IP, we want to set another public IP, lets assume 1.2.3.5, so that all outgoing traffic from this internal system goes to the internet as 1.2.3.5 than 1.2.3.4.

    And for perhaps further problems: Is it possible to set more than one internal IP per 1:1 NAT to an external IP?


  • Rebel Alliance



  • Yeah i already checked this.

    I know, that Port Forwarding overrule 1:1 NAT.

    But what I not know for sure is, whether adding a 1:1 NAT Rule could have an effect on existing rules and perhaps cause some problems.

    Sure, the chosen Virtual IP could have problems, if we are using it, but all other Virtual IPs should stay untouched and everything should work?

    I'm asking, because I have no system for testings and have to apply the 1:1 NAT on a productive pfsense and killing all internet access would be very harmful. So I want to be really sure, that this won't happen.



  • Humm… why 1:1 NAT???

    I (witch is just a personal opinion) think that just normal nating is better as you have MUCh more control.
    Secondly why do you not just us AON, and there you just say what subnet or host should be nattet out on what public IP..
    THis is what i am doing here with 3WAN's with 5 Public's on each. works like a charm.

    Just be aware if you are not using AON and are going to switch to it MAKE Sure that the config is correct as you are saying that killing the internet would be very harmfull.

    Anyway hope you get this solved.


Log in to reply