Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT 1:1 Help

    Scheduled Pinned Locked Moved NAT
    4 Posts 2 Posters 3.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      whitersx
      last edited by

      I've been trying to configure pfsense to pass through a wan subnet /27 to a lan subnet /24 with no luck. I am able to ping both the WAN and LAN interface, yet when creating the 1:1 NAT as Interface WAN External Subnet X.X.X.58 /32 , internal subnet as X.X.X.103 /32, and a WAN virtual ip proxy arp X.X.X.58 /32 it is not passing through. Additionally, my firewall looks completely open.

      Jonathan

      1 Reply Last reply Reply Quote 0
      • H
        hoba
        last edited by

        It's not passing through and it seems to be completely open? Isn't that kind of the opposite? Check firewall rules and provide more details about your rules please.

        1 Reply Last reply Reply Quote 0
        • W
          whitersx
          last edited by

          Currently there are two firewall rules

          WAN:

          Proto Source Port Destination Port Gateway Description 
          *      *      *        *        *        *

          LAN:

          Proto Source Port Destination Port Gateway Description 
          *      *      *        *        *        *

          Shouldn't those rules allow everything to pass through either way?

          1 Reply Last reply Reply Quote 0
          • H
            hoba
            last edited by

            If you set it up this way, why do you need a firewall then?

            Here is how it works:

            (make sure first that your setup runs correctly with one real IP at the WAN interface, I'm confused by all the xxx in your IPs and all the /32 subnets. do machines from LAN get out to the internet and everything works fine?)

            1. Add Virtual IP
            If your provider doesn't need ARP-Replies for the additional IPs try other
            If your provider needs ARP replies use proxy arp or carp. With carp you can easily add a failover machine later.

            2. Create a 1:1 NAT mapping the virtual IP to the internal IP

            3. Add firewallrules permitting that kind of traffic
            Keep in mind, nat is applied first, then firewallrules.

            Example: You want to have a Webserver running at a machine inside your LAN and want to have that reachable via the virtual IP
            additional public IP (virtual IP) 123.123.123.123
            LAN IP that is mapped to the additional public IP 192.168.1.100

            Your firewall rule has to look like this at the WAN interface:
            pass, protocol tcp, source IP any, source port any, destination IP 192.168.1.100, destination port http/80

            Note that your firewallrule doesn't show the external IP adress but the internal one that is mapped to the external one.

            Do this for every machine inside your lan that uses one of your public IPs.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.