Training: NAT and Virtual IPs
Module Overview: This module covers Network Address Translation (NAT) and Virtual IPs (VIPs) in pfSense Plus. You will learn the different types of NAT, how NAT interacts with firewall rules, and best practices for configuring translation in production networks.
Learning Objectives
By the end of this module, you will be able to:
- Explain what NAT is and how it modifies IP packet headers
- Identify common uses for NAT (Internet access, conflicting networks, routing issues)
- Distinguish between NAT rules and firewall rules
- Describe Port Forwards, 1:1 NAT, and Outbound NAT
- Understand NAT Reflection and why it should be avoided
- Troubleshoot common NAT problems
What is NAT?
Network Address Translation (NAT) is the modification of IP packet headers. It involves the replacement of:
- Source and/or destination IP addresses
- Source and/or destination ports for TCP and UDP
Common Uses of NAT
- Internet access for private networks
- Connection of conflicting networks (overlapping IP ranges)
- Working around routing issues
NAT and Firewall Rules
NAT rules are not firewall rules. NAT rules only define translation. You still need firewall rules to allow traffic to pass.
Key Points
- NAT rules and firewall rules are matched in a top-down fashion
- LAN rules are evaluated pre-NAT (using private source IPs)
- WAN rules are evaluated post-NAT (using private destination IPs)
- Port forwards — pfSense Plus can automatically add corresponding firewall rules
Types of NAT
Port Forwards
Port forwards provide traffic redirection. Common use cases include:
- Traditional port forward (e.g., external port to internal server)
- Transparent HTTP proxy
- Redirection of SMTP, DNS
1:1 NAT
1:1 NAT is a mapping of one internal IP to one external IP. Key characteristics:
- Can also map one internal network to one external network
- Configured on a per-interface basis
- Can optionally be limited to specific destinations
| Type | External IP | Internal IP |
|---|---|---|
| Host | 200.100.1.12 | 192.168.1.99 |
Outbound NAT
Outbound NAT controls how traffic leaving the firewall is translated.
- Automatic outbound — Default behavior; pfSense Plus automatically creates rules
- Manual outbound — Administrator defines all rules explicitly
- Hybrid mode — Combines automatic and manual rules
Outbound NAT rule options include:
- Static port — Preserve the original source port
- Pool options — Distribute translation across multiple IPs
NAT Reflection
NAT Reflection allows accessing services via their public IP from inside the network.
Best Practice: NAT Reflection should be avoided whenever possible because it:
- Adds unnecessary overhead
- Loses the original source IP information
Alternative: Use Split DNS (internal DNS server resolving to private IPs) instead.
Troubleshooting NAT
Remember these key troubleshooting steps:
- First match wins — Rules are evaluated top-down
- Ensure the correct interface is selected
- Review firewall states (Diagnostics → States)
- Verify Virtual IP configuration if applicable
- Use Packet Capture for detailed inspection
- See the troubleshooting section in the NAT chapter of the pfSense book
Summary
- NAT rules are not firewall rules
- Both are still matched in a top-down fashion
- You still need firewall rules to allow traffic to pass
- NAT Reflection is suboptimal — use an internal DNS server instead
- 1:1 NAT can be host-to-host or network-to-network
- NAT is interface-specific
Next Module
Continue to Lab 3: NAT and Virtual IPs for hands-on exercises configuring Virtual IPs, Port Forwards, 1:1 NAT, and Outbound NAT.
Source: Netgate FUND001-LIVE-SLIDE-SEG3-NATVIP.pdf / FUND001-LIVE-Lab3-NATandVIPs.pdf