Is it possible to disable NAT

jvwjgames · Aug 9, 2015, 7:54 PM

I need NAT disabled cause I have static ip's and can't have the router doing any NATTING.

divsys · Aug 9, 2015, 8:21 PM

What specifically are worried will happen?

Unless you enable NAT pfSense will not translate any addresses for you.

What is your application?

jvwjgames · Aug 9, 2015, 8:32 PM

I have 13 static wan iP's and need them to communicate directly to the Internet through pfsense so I will need pfsense to not NAT the iP's

divsys · Aug 9, 2015, 9:17 PM

How do you plan on connecting the static IP's to pfSense?

Do you have 13 modems from your ISP or will you be using VLANS?

What do you plan do with your 13 IP addresses, bandwidth share, failover, route to 13 servers?

What are expecting pfSense to do for you?

jvwjgames · Aug 9, 2015, 9:27 PM

I plan on routing my 13 statics to my servers so it goes Cable modem>Pfsense with static on WAN>static on other WAN>servers with the remaining ip's.

Derelict · Aug 9, 2015, 10:19 PM

If you have a single /28 from the ISP, you really can't put them "behind" pfSense. Your best bet would be 1:1 NAT to your servers but that's still NAT.

Tell your ISP to assign a /30 to your WAN and route the /28 to that.

You would then assign the /28 to a pfSense OPT interface, disable NAT, pass the desired traffic, and you're done.

Your other option would be to bridge an OPT interface with WAN and number the hosts on that interface. But you might as well just use an outside switch.

ScottyDM · Aug 19, 2015, 11:41 PM

I'm a pfSense newbe, but I know networking in general.

On your WAN side you'll have one of your static IPs assigned to pfSense, along with the /28 to tell it the size of your subnet, and the gateway address (the address of your modem).

My ancient SonicWALL was just smart enough to be stupid. It knew the 0th, 15th, gateway, and it's own address were unavailable, and so the other 12 addresses in that /28 subnet must belong on the LAN–so it set itself to bridging mode (you could override that with NAT if desired).

pfSense is much smarter than that and so it assumes nothing. What if there were other hosts between it and the gateway? Therefore you must set virtual IPs to tell it that when it sees one of them, it must do something with it. There is a bridging mode in pfSense, but my neighbor suggested 1-to-1 NAT would be better. Or one could use port forwarding, in which case rules can be auto-generated. Three choices, but all require virtual IPs be set first.

To set virtual IPs go to "Firewall / Virtual IPs".

It's a little hard to find bridging in the GUI, so here's a page in the DOCs that describes it. https://doc.pfsense.org/index.php/Interface_Bridges