1:1 NAT

1:1 NAT (pronounced “one-to-one NAT”) maps one external IP address (usually public) to one internal IP address (usually private).

All traffic originating from that private IP address going to the Internet through the interface selected on the 1:1 NAT entry will be mapped by 1:1 NAT to the public IP address defined in the entry, overriding the Outbound NAT configuration.

All traffic initiated on the Internet destined for the specified public IP address on the mapping will be translated to the private IP address, then evaluated against the firewall ruleset on the inbound WAN interface. If matching traffic is permitted by the firewall rules to a target of the private IP address, it will be passed to the internal host.

1:1 NAT can also translate whole subnets as well as single addresses, provided they are of the same size and align on proper subnet boundaries.

The ports on a connection remain constant with 1:1 NAT; For outbound connections, the source ports used by the local system are preserved, similar to using Static Port on outbound NAT rules.

Risks of 1:1 NAT

The risks of 1:1 NAT are largely the same as port forwards, if WAN firewall rules permit traffic. Any time rules permit traffic, potentially harmful traffic may be admitted into the local network. There is a slight added risk when using 1:1 NAT in that firewall rule mistakes can have more dire consequences. With port forward entries, traffic is limited by constraints within the NAT rule and the firewall rule. If TCP port 80 is opened by a port forward rule, then an allow all rule on WAN would still only permit TCP 80 on that internal host. If 1:1 NAT rules are in place and an allow all rule exists on WAN, everything on that internal host will be accessible from the Internet. Misconfigurations are always a potential hazard, and this usually should not be considered a reason to avoid 1:1 NAT. Keep this fact in mind when configuring firewall rules, and as always, avoid permitting anything that is not required.

1:1 NAT Rule Options

When adding or editing a 1:1 NAT rule entry under Firewall > NAT on the 1:1 tab, each entry has the following options:

Disabled

Controls whether this 1:1 NAT entry is active.

Not BINAT (NOT)

When checked, this option excludes traffic matching this 1:1 rule from 1:1 NAT if it would otherwise match another rule below it in the ruleset.

Interface

The interface where the 1:1 NAT translation will take place, typically a WAN type interface.

The 1:1 NAT rule will only affect traffic entering and exiting this specific interface. If there are multiple WAN type interfaces, nudging traffic to use this interface may require static routing, policy routing, or equivalent configurations.

Address Family

Choose between IPv4 and IPv6 based on the type of addresses to be used in the fields on this rule.

Tip

Though 1:1 NAT rules can be used with IPv6 in most cases IPv6 Network Prefix Translation (NPt) is a better fit for translating the prefix of IPv6 traffic.

External subnet IP

The IP address to which the Internal IP address will be translated as it enters or leaves the Interface. This is typically a Virtual IP address on Interface, or an IP address routed to the firewall via Interface.

Internal IP

The IP address behind the firewall that will be translated to the External subnet IP address. This is typically an IP address behind this firewall. The device with this address must use this firewall as its gateway directly (attached) or indirectly (via static route). Specifying a subnet mask here will translate the entire network matching the subnet mask. For example using x.x.x.0/24 will translate anything in that subnet to its equivalent in the external subnet.

Destination

Optional, a network restriction that limits the 1:1 NAT entry. When a value is present, the 1:1 NAT will only take effect when traffic is going from the Internal IP address to the Destination address on the way out, or from the Destination address to the External subnet IP address on the way into the firewall. The Destination field supports the use of aliases.

Description

An optional text description to explain the purpose of this entry.

NAT reflection

An override for the global NAT reflection options. Use system default will respect the global NAT reflection settings, enable will always perform NAT reflection for this entry, and disable will never do NAT reflection for this entry. For more information on NAT Reflection, see NAT Reflection.

Configuring a 1:1 NAT rule

To configure 1:1 NAT:

  • Add a Virtual IP for the public IP address to be used for the 1:1 NAT entry as described in Virtual IP Addresses

  • Navigate to Firewall > NAT, 1:1 tab

  • Click fa-level-up Add to create a new 1:1 entry at the top of the list

  • Configure the 1:1 NAT entry described in 1:1 NAT Rule Options

  • Click Save

  • Click Apply Changes

Example Single IP Address 1:1 Configuration

This section demonstrates how to configure a 1:1 NAT entry with a single internal and external IP address. In this example, 198.51.100.210 is a Virtual IP address on the WAN interface. In most deployments this will be substituted with a working public IP addresses. The mail server in this mapping resides on a DMZ segment using internal IP address 10.3.1.15. The 1:1 NAT entry to map 198.51.100.210 to 10.3.1.15 is shown in Figure 1:1 NAT Entry.

../_images/nat-1to1-singleip-example.png

1:1 NAT Entry

Example IP Address Range 1:1 Configuration

1:1 NAT can be configured for multiple public IP addresses by using CIDR ranges. In this example, 1:1 NAT is configured for a /30 CIDR range of IPs.

See also

See CIDR Summarization for more information on summarizing networks or groups of IP addresses inside a larger subnet using CIDR notation.

/30 CIDR Mapping Matching Final Octet

External IP

Internal IP

198.51.100.64/30

10.3.1.64/30

198.51.100.64

10.3.1.64

198.51.100.65

10.3.1.65

198.51.100.66

10.3.1.66

198.51.100.67

10.3.1.67

The last octet of the IP addresses need not be the same on the inside and outside, but doing so makes it logically simpler to follow. For example, Table /30 CIDR Mapping Non-Matching Final Octet is also valid.

/30 CIDR Mapping Non-Matching Final Octet

External IP

Internal IP

198.51.100.64/30

10.3.1.200/30

198.51.100.64

10.3.1.200

198.51.100.65

10.3.1.201

198.51.100.66

10.3.1.202

198.51.100.67

10.3.1.203

Choosing an addressing scheme where the last octet matches makes the layout easier to understand and hence maintain. Figure 1:1 NAT entry for /30 CIDR range shows how to configure 1:1 NAT to achieve the mapping listed in Table /30 CIDR Mapping Matching Final Octet.

../_images/nat-1to1-edit-30range.png

1:1 NAT entry for /30 CIDR range

1:1 NAT on the WAN IP, aka “DMZ” on Linksys

Some consumer routers such as those from Cisco/Linksys have what they call a “DMZ” feature that will forward all ports and protocols destined to the WAN IP address to a system on the LAN. In effect, this is 1:1 NAT between the WAN IP address and the IP address of the internal system. “DMZ” in that context, however, has nothing to do with what an actual DMZ network is in real networking terminology. In fact, it’s almost the opposite. A host in a true DMZ is in an isolated network away from the other LAN hosts, secured away from the Internet and LAN hosts alike. In contrast, a “DMZ” host in the Linksys meaning is not only on the same network as the LAN hosts, but completely exposed to incoming traffic with no protection.

In pfSense® software, 1:1 NAT can be active on the WAN IP address, with the caveat that it will leave all services running on the firewall itself inaccessible externally. So 1:1 NAT cannot be used on the WAN IP address in cases where VPNs of any type are enabled, or other local services on the firewall must be accessible externally. In some cases, this limitation can be mitigated by a port forward for locally hosted services.