What would you do?

  • Hi

    I'm trying to decide if I should use 1:1 NAT for my /27 subnet I get from my ISP or if I should just have a /27 subnet hanging off one of my Optional interfaces?

    One reason I like the idea of 1:1 NAT is that I can have my Public IP's change and not have to update my servers IP address. The other reason I like it is because I can point one of my public IP's to a Load Balancer that can handle multiple servers on the same private IP address range.

    Are there any caveats to using NAT for servers you want made public?

    I'm also looking at using multiple ISP's (multiple WAN's). Would using NAT to serve access to my servers be a wise choice over having a whole interface dedicated to the /27 subnet?

  • If you search the forums you'll see that the standard advice is actually do use virtual IPs and port forwarding if each server only provides a small number of services.

  • Virtual IP? Do you mean 1:1 Nat? For example mapping 1 Public IP to an internal private IP?

  • You can use Virtual IP's without 1:1 NAT and just normal NAT.
    Like this you can use multiple server on different ports on the same VIP.

  • That's great, thanks. Could you point me in the right direction for reading more about this?

  • http://forum.pfsense.org/index.php?action=search

    But it's pretty much self explaining.

    1: Create the VIP
    2: Use the VIP in NAT rules (dont forget the firewall rules related to the NAT rule)

  • Thanks for information so far.

    I have more question. When using VIP's to map to servers on a private address space, what address does the server with the private IP appear to be coming from when making a connection out to the Internet? Is it the WAN IP the connection is made out on? What if I wanted all connections to appear to be coming from one of the VIP's for a particular server on a private IP?

    I hope that was clear enough.

  • Normally the traffic seems to be comming from the WAN IP of pfSense.

    When you create a 1:1 NAT the outging traffic will appear as if it originates from the VIP.

    If you dont use 1:1 NAT and you want the traffic to appear from the VIP you need to create an Advanced Outbound NAT rule (NAT –> Outbound)..
    Set as Interface WAN (or on which ever interface the VIP is) and select the VIP under "Translation". Also be sure you set the "Source" correctly.
    If you want only the Server to use the VIP for outbound just set a /32 subnet.

    If you enable advanced oubound NAT dont forget that you need another rule that NAT's the rest of your network too.

    Also be sure that you have the right order of the rules.
    They are being processed from top to down so you want the rule for your server above the rule for the rest of your subnet.

  • Great thanks so much for your helpfull advice  ;D

Log in to reply