Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    1:1 NAT - Host range vs. subnet

    Scheduled Pinned Locked Moved NAT
    3 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fatman45
      last edited by

      I'm migrating to pfSense from Watchguard. Our firewall has three WAN interfaces. Each is configured with 1:1 NAT to a corresponding OPT (DMZ) interface. On Watchguard, you are given three choices for 1:1 NAT - single host, host  range, or network. Example: WAN1's public IPs are 65.169.139.0/24, OPT1's private IPs are 192.168.139.0/24. The external gateway is 65.169.139.1 and the WAN1 interface is 65.169.139.254. The OPT1 interface is 192.168.139.254. I'm using host range with the ranges specified as 65.169.139.2-65.169.139.253 and 192.168.139.2-192.168.139.253. I don't see a similar option to host range in pfSense. So I'm pretty much left with choosing network (or adding 252 single entries :o ). My question is  - will this cause me problems since network includes both .1 (the external gateway) and .254 (the external interface)? I'm not using hosts on OPT1 with either of the two corresponding addresses.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        I don't see a way to do that, either.  Another reason routed subnets are better than large interface networks.

        You shouldn't have to create 252 NAT entries though.  You just have to be creative in your subnetting.

        If you look at making a firewall alias, you can tell it to make a Network alias for 65.169.139.2-65.169.139.253.  It will generate the alias using as few subnets as possible to cover the range.

        Again, unfortunately, you cannot use an alias in a NAT rule for whatever reason, but you can use the above to help generate as few rules as necessary.

        This is what I get in 2.2.4:

        ![Screen Shot 2015-10-14 at 11.17.53 PM.png](/public/imported_attachments/1/Screen Shot 2015-10-14 at 11.17.53 PM.png)
        ![Screen Shot 2015-10-14 at 11.17.53 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-10-14 at 11.17.53 PM.png_thumb)

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • F
          fatman45
          last edited by

          Thanks - I'll investigate that idea. I was also thinking I could create just one entry, then backup the config, and write a small utility to generate the rest of the ranges. The config is a XML file, right? Should be fairly simple once I know the structure.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.