Does not really understand 1:1 NAT



  • Fairly new to pfsense, so forgive me if this is a trivial question

    I have 5 public IPs (1.1.1.94, 1.1.1.95, 1.1.1.96, 1.1.1.97, 1.1.98)
    My gateway provided from my ISP is 1.1.1.93/29
    I have 3 VLANS with serveral internal IPs, but 10.0.10.100 is used for a NAS and 10.0.10.200 is used for a server (both in VLAN10)

    I set up WAN = 1.1.1.94/29
    I set sup VIPs 1.1.1.95/29, 1.1.1.96/29, 1.1.1.97/29, 1.1.1.98/29

    I did a 1:1 NAT for 1.1.1.95 => 10.0.10.100
    And 1:1 NAT for 1.1.1.96 => 10.0.10.200

    I added all necessary NAT Port Forwards (under Firewall + NAT). Like: Destination 1.1.1.95 => Port80 => 1.0.10.100 and 1.1.1.96 to Port80 => 1.0.10.200

    Everything seemed OK, but then I got an error for me nightly Rsync job on the NAS (1.1.10.100) and discovered there were NO outbound access to internet.
    Then I removed the 2 1:1 NAT and now everything is working as it should….

    Of course nice it is working, but I dont understand about the 1:1 NAT. I thought I was suppose to use this in combantion with the VIP for my external  IPs. And I simply dont understand why it was NOT working with the 1:1 NAT enabled.

    Would greatly appreciate if anyone could point out to me where I lost it.... :)

    TIA



  • I'd need to see the interface config for the WAN, the actual VIP interface configs, your firewall rules that are either allowing or block access between the LAN/VLANs/WAN/ various IPs etc.

    Probably also need to take a look at the various Manual Outbound NAT rules that you probably never created and thus broke your states…

    Also, what version of pfsense?



  • Thank you so much for helping.
    My setup are just for home/hobby use. I just want to learn and understand more about this.
    So I am aware that I currently have no restrictions to my VLANS (all are configured like VLAN10 = allow everything).








  • Wow…  Look at all those outbound NAT rules.... ;D



  • Sorry I am not really sure - do you want me to post the outbound rules?



  • If you have multiple public IPs and are using a bridged connection with VLANs, you probably need Manual outbound NAT.  This becomes particularly simple to manage if you have two LANs created and the servers are on 1 and the normal use LAN is another.  Otherwise you should be able to make Outbound NAT rules that map a particular single server IP, a /32, to a particular VIP.  Pfsense needs to know what public IP you want your servers (and everything) to use when they hit the web, otherwise they will probably just try the default WAN IP.

    Making 1:1 totally solves where the inbound traffic from the various public IPs should go.
    Manual Outbound NAT solves sorta the same problem when the traffic originates on pfsense  > outward.



  • HI kejianshi,
    Thank you very much. I will look into this.

    And just to make sure I understand…. These missing manual NAT rules are also the reason why my 1:1 NAT did not work?

    Great! I really enjoy getting to know and understand these things.

    THANKS!



  • I think so.  I don't need those rules here because I use a single IP.
    And the multi-IP I worked with last had multiple WAN interfaces not VIPs so it worked fine with or without 1:1 and with or without Manual Outbound NAT.
    But I think yours might require it.  Yeah.

    Maybe someone will chime in to tell you a better way.  ::)



  • Just a hunch, but try using proxy-arp or carp for your virtual IPs and then try the 1-1 NAT again.



  • Well I managed to get it to work with 1:1 NAT using VIP (as IP Alias) and I just sat the firewall rules (for 1.1.1.195).


Log in to reply