Confused about 1:1 NAT



  • We are connecting our devices to someone else's network and we need remote access to these devices.  The network is not able to supply a VPN.  Therefore, the network admin gave us a 1:1 NAT.  I understand using a 1:1 NAT to an individual server and using that public IP to get to that server on the LAN.  I'm confused on how this gives us remote access to multiple devices.  Do I set my Pfsense WAN interface to the given public IP address and effectively have a separate LAN on their network or what?


  • LAYER 8 Global Moderator

    Did they give you a 1:1 for the network your on at their location.

    For example if your devices are say 192.168.1.0/24 and say you have devices at .100 and through .110

    And your public range is 1.2.3.0/24 – so 1.2.3.100 would go to 192.168.1.100 and 1.2.3.103 would go to 192.168.1.103 ?

    Or if they gave you access to 1 of your devices, you could then run whatever remote access you needed, be it a vpn into this 1 device, or remote desktop to that 1 device, and then you could remote desktop to your other devices from that 1 device?

    More info would be helpful.



  • I was given a single 1:1 NAT with one public WAN IP NAT'ed to a LAN IP (ex. 192.168.1.100) with a block of 5 IPs on that LAN.  My question is, could I set a PFsense up on that 1:1 NAT WAN IP to use it as a VPN server and connect to the rest of the 5 LAN devices?


  • LAYER 8 Global Moderator

    Well that might be a bit difficult depending on how they have the devices connected.  Does your 1 device your wanting to run pfsense on have 2 interfaces?  So these other devices you have not have internet access?  Or when they go out to internet do they come from a different IP range than the 1:1 nat they gave you?



  • The pfsense device is an embedded system with 3 interfaces (LAN, WAN, OPT1).  The other devices would be in the same range as the 1:1 NAT. .50 is the LAN NAT. .51-.55 are the other devices.



  • This isn't a pfSense-related answer, but in complex situations like this I tend to use the free version of LogMeIn and attach to one box remotely that way and then hop from there to other internal servers.

    Sometimes using a "phone home" agent works better than trying to engineer complex networking.


Log in to reply