Simple, straightforward guide for adding a 1:1 NAT on a standard connection
-
Why can't I find one?
I have a standard business cable (coaxial) connection with 5 static IPs in the same subnet. Let's call them WAN_IP1 - WAN_IP5. The modem is in bridge mode.
I have already setup the WAN connection on an interface of my pfsense box to use WAN_IP1 and it works fine.
Now I want a 1:1 NAT on the same interface, pointing to 192.168.1.20.
============================================================================
EDIT: THE STEPS BELOW ARE WRONG, PLEASE SEE THE NEXT TWO POSTS FOR CORRECTED INFOSteps:
1. Firewall -> Virtual IP
ADD NEW
Options:Type: IP Alias
Interface: The same interface of my cable modem
IP Address: The Public Static IP address I want for the 1:1 NAT, in this case WAN_IP2
Subnet Mask: /32 for single address2. Firewall -> NAT -> 1:1
ADD NEW
Options:Interface: The same interface of my cable modem
External Subnet IP: The Public Static IP address I want for the 1:1 NAT, in this case WAN_IP2
Internal IP: Single Host : 192.168.1.20
Destination: It is not clear to me if I should fill something in here. Should it be the same as the Static IP?3. Firewall -> Rules -> The same interface of my cable modem
ADD NEW
Options:Action: Pass
Interface: The same interface of my cable modem
Protocol: Any
Destination: Single Host or Alias: The Public Static IP address I want for the 1:1 NAT, in this case WAN_IP2===========================================================================
So obviously, I'm doing something wrong, because after all these steps, the 1:1 NAT does not work. What am I doing wrong?
-
Step 1 (Virtual IP)
Add new PROXY ARP, not IP Alias.Nuance: Proxy ARP != IP Alias
Proxy ARP = interface answers ARP request for that defined IP so traffic will flow to the interface.
IP Alias = defined IP address is bound to the interface (like having 2 IP addresses on the same interface).
Do yourself a favor and get this book:
http://www.amazon.com/gp/product/013608530X?keywords=Internetworking%20with%20TCP%2FIP%20Vol.1&qid=1447422811&ref_=sr_1_1&sr=8-1Step 2 (NAT 1:1)
Interface: WAN
External subnet IP: The external IP (same one you configured for Proxy ARP)
Internal IP: The internal IP of your host
Destination IP: anyStep 3
Interface WAN
Protocol: however you want to restrict; any = wide open
Source: any (or whatever you want to restrict by)
Destination: The internal IP of your host (firewall rules are evaluated after NAT)
Port: whatever service you want to restrict to (applies if protocol = TCP or UDP) -
Revised, corrected guide for adding 1:1 NAT on a standard connection
I have a standard business cable (coaxial) connection with 5 static IPs in the same subnet. Let's call them WAN_IP1 - WAN_IP5. The modem is in bridge mode.
I have already setup the WAN connection on an interface of my pfsense box to use WAN_IP1 and it works fine.
Now I want a 1:1 NAT on the same interface, pointing to Internal Address: 192.168.1.20.
============================================================================
Steps:
1. Firewall -> Virtual IP
ADD NEW
Options:Type: Proxy ARP
Interface: The same interface of my modem
IP Address: The Public Static IP address I want for the 1:1 NAT, in this case WAN_IP2
Subnet Mask: /32 for single address2. Firewall -> NAT -> 1:1
ADD NEW
Options:Interface: The same interface of my cable modem
External Subnet IP: The Public Static IP address I want for the 1:1 NAT, in this case WAN_IP2
Internal IP: Single Host : The Internal Address: 192.168.1.203. Firewall -> Rules -> The same interface of my cable modem
ADD NEW
Options:Action: Pass
Interface: The same interface of my cable modem
Protocol: Any
Destination: Single Host or Alias: The Internal IP Address: 192.168.1.20===========================================================================