1:1 NAT Concept



  • Guys
    I think I may be beginning to understand this 1:1 NAT a bit better…so I thought I will ask the guru's on the forum, if I am on the right track...

    Port forwarding Example:

    Most useful when we need to change port numbers in the firewall... Example:

    138.99.129.65/27----| pfsense |----|---192.168.1.1/24
                                                      |________________192.168.1.100 Host1

    Steps:
    Create CARP IP 138.99.129.75
    Create CARP IP 138.99.129.76
    Create CARP IP 138.99.129.77

    Port forward 138.99.129.75  (P:80)  to 192.168.1.100 (P:80)  Auto add firewall rule
    Port forward 138.99.129.76  (P:80)  to 192.168.1.100 (P:8080)  Auto add firewall rule
    Port forward 138.99.129.77  (P:80)  to 192.168.1.100 (P:8888)  Auto add firewall rule

    And now we can run three different IP can access websites using default HTTP ports....

    1:1 NAT Example:

    Most useful when we DON'T need to change port numbers in the firewall... Example:

    138.99.129.65/27----| pfsense |----|---192.168.1.1/24
                                                      |________________192.168.1.100 Host1
                                                      |________________192.168.1.101 Host2
                                                      |________________192.168.1.101 Host3

    Steps:
    Create CARP IP 138.99.129.75
    Create CARP IP 138.99.129.76
    Create CARP IP 138.99.129.77

    1:1
    WAN 138.99.129.75  to 192.168.1.100 Description (This essentially maps one to one port map like 80 to 80 and 25 to 25)
    WAN 138.99.129.76  to 192.168.1.101 Description (ditto)
    WAN 138.99.129.77  to 192.168.1.101 Description (ditto)

    Create firewall rules:
    pass/wan/tcp/wan-addy/any-port/any-os/192.168.1.100/port-80/synproxy-state/no-schedule/default GW/Add port 25 rule next month

    pass/wan/tcp/wan-addy/any-port/any-os/192.168.1.101/port-8080/synproxy-state/no-schedule/default GW/Guests have port 8080 outbound is not blocked by their IT and is open

    pass/wan/tcp/wan-addy/any-port/any-os/192.168.1.102/port-8888/synproxy-state/no-schedule/default GW/Guests have port 8888 outbound is not blocked by their IT and is open

    And now we can run three different IP can access websites using ports 80, 8080 and 8888 respectively ....

    ===========================

    Please let me know. Appreciate your patience reading this.
    Much thanks.



  • Also note that 1:1 NAT applies to outbound traffic too.
    Meaning traffic originating FROM the server will appeasr as if it originates from it's VIP on the WAN

    In your case traffic from 192.168.1.102 appears as if from 138.99.129.77.

    But usually it's better to use "normal" NAT.
    For one thing reflection does not work with 1:1 NAT.

    Tell me when you ever had a case where you needed so many ports forwarded that it was easier to just 1:1 NAT it than to set up an alias and use that to forward multiple ports :)



  • @GruensFroeschli:

    Also note that 1:1 NAT applies to outbound traffic too.
    <snip>Tell me when you ever had a case where you needed so many ports forwarded that it was easier to just 1:1 NAT it than to set up an alias and use that to forward multiple ports :)</snip>

    Thanks - I am happy to hear of confirmation..
    I agree on outbound but not sure when would an outbound address be important other than accessing services which are restricted to unique IP.

    Also, other than in a home setup where one box is perhaps "be-all", rarely we would run very many services needing access from the WAN side that one or two firewall rules can not handle.  Guru's may know better.

    Thanks again.



  • @GruensFroeschli:

    <snip>For one thing reflection does not work with 1:1 NAT.</snip>

    And, I have read many places that "Just enable NAT reflection"….
    Is it same as --->System>Advanced>    Do not tick the "Disables the automatic creation of NAT redirect rules......"
    ??
    Thanks again.



  • Yes, just that tickbos. Will work with portforwards but not with 1:1 nat.


Locked