1:1 NAT vs. port forwarding - When to use each?
-
Hello. Lurker here, first post. We're a support customer with Chris and Jim.
I searched and found this post:
https://forum.pfsense.org/index.php?topic=79750.msg434978#msg434978
saying 1:1 NAT is a security risk. When would I use 1:1 NAT vs. when would I use port forwarding?
Thanks.
-
A port forward is useful if you need to expose one or two ports from a LAN server to WAN. 1:1 NAT is useful if you need to have the entire range of ports available, where every port on the WAN IP maps to the same ports on the LAN server. That's why it's a security risk; every single port on the LAN server is exposed.
-
1:1 NAT is only a security risk because it makes it easier to accidentally allow too much traffic. The ports are not automatically exposed: 1:1 NAT maps all the external ports on that IP to the internal IP but you must still have firewall rules to allow the traffic to reach the local server.
With proper firewall rules, 1:1 NAT is easier in cases where there are many ports and you also need outbound NAT.
With good use of aliases, for inbound-only traffic they are roughly the same amount of work and it's mostly a matter of preference.
-
My mistake. I had (wrongly) assumed that the firewall rules would be auto-added, or handled by some hidden Allow All to 1:1 Host rule or something like that. Otherwise, the distinction didn't make a lot of sense to me. Thanks for the correction.
-
Jim -
Could you please weigh in here: https://forum.pfsense.org/index.php?topic=82732.msg461520#msg461520
I was pretty puzzled by the behavior I saw when I enabled 1:1 NAT across OpenVPN interfaces.