1:1 confusion



  • I'm trying to set up 1:1 NAT for a handful of addresses. My edge network is a /29 with 5 usable IPs. Three of those IPs I would like to 1:1 map to internal IPs, let's call one of them 173.249.128.131/32 to 10.0.10.100/32 .

    I've set up a Virtual IP (which I read was required on some wikis) as an IP Alias and also created a 1:1 mapping with an external IP of 173.249.128.131 to the internal ip of 10.0.10.100. Destination IP I don't understand what it is meant for (and I couldn't find conclusive docs on this either), so I left it default to * (any).

    In addition I've created a couple firewall rules on the WAN interface to allow traffic to the internal ip 10.0.10.100 on various ports.

    When setting up one of these mappings, everything is fine and the 1:1 map works as expected. When I however go ahead and add one more external address, such as 173.249.128.132/32 mapping to 10.0.10.110/32, all traffic for 173.249.128.131 now seems to go to 10.0.10.110. That's obviously not my intention.

    Am I doing something wrong or did I just find a bug? The version of pfsense I'm running is 2.1-RC1 (amd64)
    built on Sat Aug 10 05:22:30 EDT 2013 FreeBSD 8.3-RELEASE-p9. This is a nano 4g image.



  • The destination IP should be the one that traffic is hitting.

    So if you want traffic from 1.2.3.4 to go to 192.168.1.1, you'd configure:
    External Subnet IP: 1.2.3.4
    Internal IP: 192.168.1.1/32
    Destination: 1.2.3.4/32

    If you also want 1.2.3.5 to go to 192.168.1.2, you'd configure:
    External Subnet IP: 1.2.3.5
    Internal IP: 192.168.1.2/32
    Destination: 1.2.3.5/32

    Though I can't test this at the moment, I can pretty much guarantee this is how it is supposed to be configured.



  • That worked.

    Would you mind explaining why the external address and destination address are both needed? What's the scenario the two would be different, or where destination would actually be "any", as suggested in the field's description?



  • My guess would be if you had a pool of addresses you wanted to go to the same host. I'm honestly not sure, as I haven't ever had a need for it.


  • Rebel Alliance Developer Netgate

    The destination is just that, the destination of the traffic, but you're thinking of the wrong direction, it's not inbound, that's for outbound.

    If Internal IP x.x.x.x goes to destination y.y.y.y, apply 1:1 NAT so it comes from external address z.z.z.z

    IIRC it works the opposite way as well:

    If a "destination" IP y.y.y.y tries to contact external IP z.z.z.z, apply 1:1 NAT so it gets sent to internal IP x.x.x.x

    I'd have to double check that last bit though.



  • Forgive my ignorance, but I read somewhere that you need to have a physical interface for each 1:1 mapping…

    I suppose that is not correct. Please enlighten me...


  • Rebel Alliance Developer Netgate

    It is not correct. You do need a VIP in most cases but not all.



  • Thank you.. Still not working though :(

    From the pfsense's ssh I can see that the wan IP i have set for the 1:1 mapping is used by pfsense itself and not being forwarded to the lan IP.

    Any ideas ?

    ( should I post more? or open a new thread? :] )



  • Nevermind.. it started working. I suppose it was an issue from my "wan" that is actually a nat to someone else.


Log in to reply