Thursday, June 18, 2020

PFSense: 1:1 NAT Configuration

Vendor documentation is really key to helping admins setup and configure, well, really anything.  You can say that about firewall vendors, network vendors, server vendors, etc.  One thing I always admired about Cisco was their documentation on how to configure different things.  I still believe they are one of the best at documentation.
PFSense has some decent documentation, but not always the most clear documentation.  1:1 NAT'ing is one of those things to me.  So I have outlined what you need to do for a 1:1 NAT'ing when you need access to an internal device from the Internet. 
Now first, I hate when people go into these long paragraphs of how things are supposed to work.  I just want the answer I'm looking for.  But, one thing needs to be clarified here.  1:1 NAT and Port Forwarding are two different things.  Port forwarding uses the IP address of the firewall interface to get to your internal traffic, via different ports you configure.  1:1 NAT uses an IP address on the same network as your WAN interface, but not the interface of the firewall itself.  Clear?
Ok, so in most firewalls, you generally need a couple of things to make getting to an internal device from the Internet happen.
1.  A NAT rule.
2.  A firewall rule.
In Palo Alto, Cisco, Check Point, SonicWall, etc, that's all you need.  However, in PFSense, there is one more thing you have to do to make this work.  Its called a virtual IP (under Firewall --> Virtual IP).  What you do with a virtual IP address is that you are telling the firewall that it needs to handle requests for an internal device you are trying to NAT to.  If you don't, the firewall wont respond to ARP requests made on the WAN side.  If you do add the virtual IP address that you want to use for the WAN IP address you want for your web server, etc, then it will respond to the ARP request and NAT your traffic through.  I verified this with a packet capture, so you can be sure you do need this.
So for a PFSense 1:1 NAT, you need the following:
1.  A NAT rule.
2.  A firewall rule.
AND 3. A virtual IP address that is the same as your WAN side NAT that you configured in #1.  (The subnet mask will be the same as your WAN interface subnet mask.)
Note that you can use this for port forwarding also. 
Posted by

2 comments:

  1. Wayne and LauriMarch 1, 2021 at 4:57 PM

    Would the lack of #3 result in one-way audio? Outgoing audio is fine, but not incoming.

    ReplyDelete
    Replies
    1. ShaneApril 8, 2021 at 12:04 AM

      Possibly. Don't need that going out, do coming in. I suspect that could happen.

      Delete

Your comment will be reviewed for approval. Thank you for submitting your comments.

Subscribe to: Post Comments (Atom)