1:1 NAT - Host range vs. subnet

  • I'm migrating to pfSense from Watchguard. Our firewall has three WAN interfaces. Each is configured with 1:1 NAT to a corresponding OPT (DMZ) interface. On Watchguard, you are given three choices for 1:1 NAT - single host, host  range, or network. Example: WAN1's public IPs are, OPT1's private IPs are The external gateway is and the WAN1 interface is The OPT1 interface is I'm using host range with the ranges specified as and I don't see a similar option to host range in pfSense. So I'm pretty much left with choosing network (or adding 252 single entries :o ). My question is  - will this cause me problems since network includes both .1 (the external gateway) and .254 (the external interface)? I'm not using hosts on OPT1 with either of the two corresponding addresses.

  • LAYER 8 Netgate

    I don't see a way to do that, either.  Another reason routed subnets are better than large interface networks.

    You shouldn't have to create 252 NAT entries though.  You just have to be creative in your subnetting.

    If you look at making a firewall alias, you can tell it to make a Network alias for  It will generate the alias using as few subnets as possible to cover the range.

    Again, unfortunately, you cannot use an alias in a NAT rule for whatever reason, but you can use the above to help generate as few rules as necessary.

    This is what I get in 2.2.4:

    ![Screen Shot 2015-10-14 at 11.17.53 PM.png](/public/imported_attachments/1/Screen Shot 2015-10-14 at 11.17.53 PM.png)
    ![Screen Shot 2015-10-14 at 11.17.53 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-10-14 at 11.17.53 PM.png_thumb)

  • Thanks - I'll investigate that idea. I was also thinking I could create just one entry, then backup the config, and write a small utility to generate the rest of the ranges. The config is a XML file, right? Should be fairly simple once I know the structure.

Log in to reply