Getting rid of NAT
-
Hello. :) Recently I had the idea to use a dusty kind-of-old laptop as my firewall superhero with pfSense. The machine comes with an integrated Intel PRO/100 Ethernet and a custom installed Atheros 5424 chip using modded BIOS. My ISP supplied me with a WiMAX Telrad router, integrated with everything needed in order to have a simple typical home network possible.
Anyway, my idea was to have the laptop with pfSense residing between the router and the stations which they would connect to its WiFi interface… doesn't sound too bad as an idea but; I'm neither sure if everything is well configured or there is space for better configuration.
As for now, I have a WAN interface(configured to point to the router's gateway IP) and a LAN one(NAT'ed to WAN, used to allow WiFi connection). Everything seems to work fine regarding basic web surfing, checking emails, etc. But NAT imposes a limit to inbound traffic. Well maybe not a real limit(because forwarding), but anyhow probably bridging the two interfaces(or something similar) may prove in better performance and stability when using intensive applications. Thing is I'm not sure so I'm asking you guys for better ideas... 8)
If you would like to know further information I would be glad to know...
Thanks for reading and best regards.
-
You probably don't want to get rid of NAT. If you have multiple devices behind your firewall, you will need that NAT to allow them to access the internet.
This is assuming, of course, that your provider has given you an IPv4 connection. I doubt your provider is handing out IPv6 addresses. If they were, there would be no need to NAT, as each machine behind your firewall would be getting a globally unique IPv6 address. With IPv4, you typically only get one, unless you pay handsomely for more.
If you had IPv6, you'd just have to create policies allowing connections from the internet to host xyz via port 123 and that's it. With IPv4 you have to use port forwarding, taking the 65535 available ports on your single shared public IP and forwarding them individually to particular hosts inside your network, as well as creating the above policies (if the policy isn't already implied by the port forwarding, not too familiar with pfSense, tbh).
Either way, for a bog-standard IPv4 internet connection, NAT and port forwarding are absolutely vital to make it work with multiple devices. Just forward the ports you need to the internal host you want and you'll be good to go. Alternatively, you can define one host as a DMZ, and all incoming requests will be forwarded to that host, with the exception of explicit forwardings (probably. again, not too familiar with pfSense. It's like that with other firewalls that I've worked with).