Simple, straightforward guide for adding a 1:1 NAT on a standard connection



  • Why can't I find one?

    I have a standard business cable (coaxial) connection with 5 static IPs in the same subnet.  Let's call them WAN_IP1 - WAN_IP5.  The modem is in bridge mode.

    I have already setup the WAN connection on an interface of my pfsense box to use WAN_IP1 and it works fine.

    Now I want a 1:1 NAT on the same interface, pointing to 192.168.1.20.

    ============================================================================
    EDIT: THE STEPS BELOW ARE WRONG, PLEASE SEE THE NEXT TWO POSTS FOR CORRECTED INFO

    Steps:

    1. Firewall -> Virtual IP

    ADD NEW
    Options:

    Type: IP Alias
    Interface: The same interface of my cable modem
    IP Address: The Public Static IP address I want for the 1:1 NAT, in this case WAN_IP2
    Subnet Mask: /32 for single address

    2. Firewall -> NAT -> 1:1

    ADD NEW
    Options:

    Interface: The same interface of my cable modem
    External Subnet IP: The Public Static IP address I want for the 1:1 NAT, in this case WAN_IP2
    Internal IP: Single Host : 192.168.1.20
    Destination: It is not clear to me if I should fill something in here.  Should it be the same as the Static IP?

    3. Firewall -> Rules -> The same interface of my cable modem

    ADD NEW
    Options:

    Action: Pass
    Interface: The same interface of my cable modem
    Protocol: Any
    Destination: Single Host or Alias: The Public Static IP address I want for the 1:1 NAT, in this case WAN_IP2

    ===========================================================================

    So obviously, I'm doing something wrong, because after all these steps, the 1:1 NAT does not work.  What am I doing wrong?



  • Step 1 (Virtual IP)
    Add new PROXY ARP, not IP Alias.

    Nuance:  Proxy ARP != IP Alias
    Proxy ARP = interface answers ARP request for that defined IP so traffic will flow to the interface.
    IP Alias = defined IP address is bound to the interface (like having 2 IP addresses on the same interface).
    Do yourself a favor and get this book:
    http://www.amazon.com/gp/product/013608530X?keywords=Internetworking%20with%20TCP%2FIP%20Vol.1&qid=1447422811&ref_=sr_1_1&sr=8-1

    Step 2 (NAT 1:1)
    Interface: WAN
    External subnet IP: The external IP (same one you configured for Proxy ARP)
    Internal IP: The internal IP of your host
    Destination IP: any

    Step 3
    Interface WAN
    Protocol: however you want to restrict; any = wide open
    Source: any (or whatever you want to restrict by)
    Destination: The internal IP of your host (firewall rules are evaluated after NAT)
    Port: whatever service you want to restrict to (applies if protocol = TCP or UDP)



  • Revised, corrected guide for adding 1:1 NAT on a standard connection

    I have a standard business cable (coaxial) connection with 5 static IPs in the same subnet.  Let's call them WAN_IP1 - WAN_IP5.  The modem is in bridge mode.

    I have already setup the WAN connection on an interface of my pfsense box to use WAN_IP1 and it works fine.

    Now I want a 1:1 NAT on the same interface, pointing to Internal Address: 192.168.1.20.

    ============================================================================

    Steps:

    1. Firewall -> Virtual IP

    ADD NEW
    Options:

    Type: Proxy ARP
    Interface: The same interface of my modem
    IP Address: The Public Static IP address I want for the 1:1 NAT, in this case WAN_IP2
    Subnet Mask: /32 for single address

    2. Firewall -> NAT -> 1:1

    ADD NEW
    Options:

    Interface: The same interface of my cable modem
    External Subnet IP: The Public Static IP address I want for the 1:1 NAT, in this case WAN_IP2
    Internal IP: Single Host : The Internal Address: 192.168.1.20

    3. Firewall -> Rules -> The same interface of my cable modem

    ADD NEW
    Options:

    Action: Pass
    Interface: The same interface of my cable modem
    Protocol: Any
    Destination: Single Host or Alias: The Internal IP Address: 192.168.1.20

    ===========================================================================


Log in to reply