Virtual IP and Outbound NAT



  • Hello all,

    i want please you for help with small NAT issue. My pfsense have one WAN Interface IP and more Virtual IPs. For Virtual IPs i using NAT 1:1 to internal network. For example Interface IP is 82.82.82.100 and virtual IPs 82.82.82.101-105. Server with mapped virtual IP .101 look from internet as .101, this is corect. My question is, is possible (over outbound nat) server 101 for specific (selected) internet IPs or ports look as IP 82.82.82.100? Or is impossible from rules TCP/IP?

    Thank you
    idmax



  • Yes this is possible.



  • Nice and how setup outbound rule please?

    @GruensFroeschli:

    Yes this is possible.



  • firewall –> NAT --> "outbound"
    enable "Manual Outbound NAT"

    Create rules according to your needs.
    In the field "translation" you can set the VIP.



  • Yes, i was setup rule:

    Interface: WAN
    Source: 10.0.0.101 (internal IP of the server with public virtual ip 82.82.82.101) mask /32
    Dastination: 72.14.207.99 (example google site where i look as IP 82.82.82.100) mask /32
    Translation: "Interfaces address", port empty
    Description: test

    and not working, it is wrong?

    Thanks

    @GruensFroeschli:

    firewall –> NAT --> "outbound"
    enable "Manual Outbound NAT"

    Create rules according to your needs.
    In the field "translation" you can set the VIP.



  • In the field "translation" you can set the VIP.

    You need to create a VIP first.



  • Yes, but i want map outbound traffic from server .101 to interface ip (real WAN IP), in this case 82.82.82.100

    @GruensFroeschli:

    In the field "translation" you can set the VIP.

    You need to create a VIP first.



  • Ah you mean you want that the 1:1 NATed server gets NAT outbound via the main WAN?

    That's not possible.
    The concept of 1:1 NAT is that you NAT bidirectional all ports.

    But you can achieve that with normal NAT.

    1: delete the 1:1 NAT entry.
    2: Create a normal NAT entry with a port-range from 1 to 65535 to your server and as "external address" your VIP.



  • Yes, exactly, thank you very much for your help.

    @GruensFroeschli:

    Ah you mean you want that the 1:1 NATed server gets NAT outbound via the main WAN?

    That's not possible.
    The concept of 1:1 NAT is that you NAT bidirectional all ports.

    But you can achieve that with normal NAT.

    1: delete the 1:1 NAT entry.
    2: Create a normal NAT entry with a port-range from 1 to 65535 to your server and as "external address" your VIP.



  • Sorry i was under the impression that you want to NAT the other clients besides thet 1:1 NATed server over the VIP too.

    But why are you using 1:1 NAT in the first place?
    IMO 1:1 NAT is bad.
    If you have to forward many many single ports, just create an alias which contains all your ports and use this alias in the normal NAT rule.



  • @GruensFroeschli:

    Sorry i was under the impression that you want to NAT the other clients besides thet 1:1 NATed server over the VIP too.

    But why are you using 1:1 NAT in the first place?
    IMO 1:1 NAT is bad.
    If you have to forward many many single ports, just create an alias which contains all your ports and use this alias in the normal NAT rule.

    For my is 1:1 better for administration and same security risk as port nat.

    Example:If i want open port for new service, then:

    1:1NAT - Open only firewall
    PORTFW - Open firewall and setup portworward (edit alias)

    This is my idea….



  • You can use aliases in the firewall rules as well as in the NAT rules.

    Meaning if you need to add/forward new ports you just have to change the alias and nothing else.

    But i disagree that 1:1 NAT is more secure.
    If anything then it's less "secure" because you forward everything per default and only the firewall blocks connection attempts which are unallowed.



  • Good idea :) use same aliases for firewall and nat, thanks. In this case is better use portforward.

    No more secure, but same as PortForward i think. Both is protected over firewall,. Only if fail firewall then can by more security issue use 1:1.


Log in to reply