1:1 NAT not working



  • Hi,

    I know it is very simple configuration but some how i am not able to get it done. I have install pfsense 2.0.3 32 bit. Installation is completed and working fine. It is three interface installation. WAN , LAN and OPT1. WAN is of /30 subnet, LAN is of 10.10.20.0/24 and OPT1 is 10.10.10.0/24.

    Now i want one of my public IP to be configured with 1:1 NAT with one of the IP of OPT1 (DMZ). Public IP is of /29 subnet.

    I tried to follow all the guide available but still i am not able to get it done.

    Can any body please help me how can i do it.



  • You are contradicting your self perhaps. Your wan cannot be /30 and your public a /29. Unlesss you are routing to one in the /30 in which case you have a routed setup and 1:1 nat is useless.



  • Hi,

    thanks for reply…

    my ISP has provided me the IP address in this fashion.. our WAN IP is in /30 subnet that is 255.255.255.252 and 8 public ips are in /29 that is 255.255.255.248 subnet.



  • WAN IP is as below

    IP (for our end device) : XXX.XXX.XXX.34
    Subnet                      : 255.255.255.252
    Gateway (for wan ip)  : XXX.XXX.XXX.33

    8 Public IPs
    XXX.XXX.XXX.248
    XXX.XXX.XXX.249
    .
    .
    .
    .
    XXX.XXX.XXX.255

    Subnet: 255.255.255.248

    XXX.XXX.XXX series in all above ips are same, just difference is subnet

    Please let me know how can i configure 1:1 NAT. I also had word with ISP he update that it will work with out any problem.



  • If they are not routed, then you will need to proxyarp, as in a virtual ip, them prior to 1:1 NAT.



  • Thanks for you support..

    After your support and support from chat with forum i was able to configure the NAT and ICMP ping was succefully.

    But just one difficulty i m facing here is 1:1 NAT between WAN and LAN is working fine. But 1:1 NAT between WAN and OPT1 is not successfully.

    I have checked the firewall rules. below are the firewall rule applied for 1:1 NAT for configuration give with

    WAN IP : xxx.xxx.xxx.252 (also virtual Ip created as type "Other" for this ip)
    LAN IP : 10.10.20.60
    OPT1 (DMZ) IP : 10.10.10.59

    Firewall Rule for WAN
    Proto     Source Port Destination           Port Gateway Queue
    ICMP       * * 115.112.149.252       *     *         none
    ICMP       * * 10.10.10.59               *     *          none
    ICMP       * * 10.10.20.60          *     *         none

    Firewall Rule for LAN
    Proto     Source Port Destination           Port Gateway Queue
    ICMP       * *       *                     *           *         none

    Firewall Rule for OPT1(DMZ)
    Proto     Source Port Destination           Port Gateway Queue
    ICMP       * *       *                     *           *         none

    Now if i configure 1:1 NAT for WAN and LAN i get ping succesful. But if i change IP 10.10.20.60 (LAN) to 10.10.10.59 (OPT1 - DMZ) then i do not get ping. Again if i change ip to LAN ping is successful.

    can you please guide me where i m wrong.



  • Let me preface this with, ping is not a good way to tell if things are working properly. I would test with http, ssh, or just about any tcp protocol services (aside from ftp). It would also be nice to know where you are pinging from.



  • not only NAT but i also found now that even i am not able to access internet from OPT1 (DMZ) network. I can able to access internet from LAN but not from OPT1…

    I tried one PC with LAN network subnet with gateway as LAN interface IP and my internet working fine.. but when i shift the same system in OPT1 network subnet and provides gateway as OPT1 interface ip then i my internet is not working.



  • well according to the rules you posted, only ping is allowed out. you need to add a rule for outbound traffic from OPT1. There is not one by default, only on LAN is one created by default. The global rule is to block.



  • Hi,

    I checked firewall rules i have dont find any such rule for LAN even.. can you just guide me where i should put this outbound rule..



  • The rule should be in LAN and OPT1 that basically says that from LAN/OPT1 Net to any is allowed.


Log in to reply