1:1 and other questions.



  • Hi all,

    I have looked over the forums and the Monowall docs but I have not been able to find an answer to help me with configuring the 1:1 NAT.

    Here is a breakdown of our network.  We have 5 static IPs and we want to DHCP one and 1:1 the other one on the same subnet.

    I am concurrently setting up this new setup next to an older one that we want to get rid of.

    Public :: 67.xxx.xxx.13 - .18
    WAN :: 67.xxx.xxx.18
    LAN :: 192.168.xxx.0/24

    When I first setup the box I put 1 machine on it to test everything out.  Added NAT for the subnet 192.168.xxx.0/24 with a few basic aliased ports 80, 25, 110, 443, 8080 and I was able to browse out.

    I looked over the rules the WAN looked fine, but I deleted a LAN rule about * -> any (I read this in another post) that was automatically created.

    After I did this it would not browse out so I put it back and it worked again, not sure why the other post said to remove this any rule?

    Was it necessary or maybe I misunderstood the other post?  Did I mess something up in the routing tables when I removed this rule before?

    I entered a 1:1 for 67.xxx.xxx.15 -> 192.168.xxx.15 and added a virtual IP for 67.xxx.xxx.15 and then a rule * -> 192.168.xxx.15 and it does not work?

    The machine is assigned the 192.168.xxx.15 address in the windows (yes windows) network settings with the GW 67.xxx.xxx.13 as it should be.  I also input the ISP assigned DNS servers instead of using the gateway 67.xxx.xxx.13 as the DNS server.

    Someone please help, I would really like to get this going, the pfSense seems far better than the other FW packages that we have checked out or used.

    We are particularly interested in the traffic shaping for our VOIP server.  This is part of the reason why we need the 1:1 enabled.



  • Just a few notes on your config:
    If you are running a private, natted LAN, you need to use the firewall's lan ip as you gateway. If you want to use a public gateway, you will need the machine to have a public IP. There are some threads on public DMZ setups out there. You would probably want to bridge the DMZ with the WAN.
    Don't delete the default LAN allow rule unless you setup rules for all the outgoing traffic you want to allow. You would only want that if you were placing restrictions on what your LAN users could do.
    The 1-1 setup should work if the machine is configured with a private ip and gateway, and a rule to allow traffic out from the LAN is there.



  • Thank you dotdash,

    I had an error in my thinking… I did have the private natted LAN set to use the FW lan ip as the GW.

    I will go back and double check everything now and reset the default LAN allow rule.


Log in to reply