https://mediawiki.comfac.net/index.php?action=history&feed=atom&title=Training%3A_NAT_and_Virtual_IPsTraining: NAT and Virtual IPs - Revision history2026-06-05T11:02:11ZRevision history for this page on the wikiMediaWiki 1.45.1https://mediawiki.comfac.net/index.php?title=Training:_NAT_and_Virtual_IPs&diff=229&oldid=prevJustinaquino: Created from Netgate pfSense training PDF2026-04-23T06:58:55Z<p>Created from Netgate pfSense training PDF</p>
<p><b>New page</b></p><div>__NOTOC__<br />
<br />
<div style="background-color: #e7f3ff; border-left: 6px solid #2196F3; padding: 16px; margin-bottom: 20px;"><br />
<strong>Module Overview:</strong> This module covers Network Address Translation (NAT) and Virtual IPs (VIPs) in pfSense Plus. You will learn the different types of NAT, how NAT interacts with firewall rules, and best practices for configuring translation in production networks.<br />
</div><br />
<br />
== Learning Objectives ==<br />
<br />
By the end of this module, you will be able to:<br />
<br />
* Explain what NAT is and how it modifies IP packet headers<br />
* Identify common uses for NAT (Internet access, conflicting networks, routing issues)<br />
* Distinguish between NAT rules and firewall rules<br />
* Describe Port Forwards, 1:1 NAT, and Outbound NAT<br />
* Understand NAT Reflection and why it should be avoided<br />
* Troubleshoot common NAT problems<br />
<br />
== What is NAT? ==<br />
<br />
'''Network Address Translation (NAT)''' is the modification of IP packet headers. It involves the replacement of:<br />
<br />
* Source and/or destination IP addresses<br />
* Source and/or destination ports for TCP and UDP<br />
<br />
=== Common Uses of NAT ===<br />
<br />
* Internet access for private networks<br />
* Connection of conflicting networks (overlapping IP ranges)<br />
* Working around routing issues<br />
<br />
== NAT and Firewall Rules ==<br />
<br />
NAT rules are '''not''' firewall rules. NAT rules only define translation. You still need firewall rules to allow traffic to pass.<br />
<br />
=== Key Points ===<br />
<br />
* NAT rules and firewall rules are matched in a top-down fashion<br />
* '''LAN rules''' are evaluated '''pre-NAT''' (using private source IPs)<br />
* '''WAN rules''' are evaluated '''post-NAT''' (using private destination IPs)<br />
* Port forwards — pfSense Plus can automatically add corresponding firewall rules<br />
<br />
== Types of NAT ==<br />
<br />
=== Port Forwards ===<br />
<br />
Port forwards provide traffic redirection. Common use cases include:<br />
<br />
* Traditional port forward (e.g., external port to internal server)<br />
* Transparent HTTP proxy<br />
* Redirection of SMTP, DNS<br />
<br />
=== 1:1 NAT ===<br />
<br />
1:1 NAT is a mapping of one internal IP to one external IP. Key characteristics:<br />
<br />
* Can also map one internal network to one external network<br />
* Configured on a per-interface basis<br />
* Can optionally be limited to specific destinations<br />
<br />
{| class="wikitable"<br />
|+ 1:1 NAT Example<br />
|-<br />
! Type !! External IP !! Internal IP<br />
|-<br />
| Host || 200.100.1.12 || 192.168.1.99<br />
|}<br />
<br />
=== Outbound NAT ===<br />
<br />
Outbound NAT controls how traffic leaving the firewall is translated.<br />
<br />
* '''Automatic outbound''' — Default behavior; pfSense Plus automatically creates rules<br />
* '''Manual outbound''' — Administrator defines all rules explicitly<br />
* '''Hybrid mode''' — Combines automatic and manual rules<br />
<br />
Outbound NAT rule options include:<br />
<br />
* '''Static port''' — Preserve the original source port<br />
* '''Pool options''' — Distribute translation across multiple IPs<br />
<br />
== NAT Reflection ==<br />
<br />
NAT Reflection allows accessing services via their public IP from inside the network.<br />
<br />
'''Best Practice:''' NAT Reflection should be avoided whenever possible because it:<br />
<br />
* Adds unnecessary overhead<br />
* Loses the original source IP information<br />
<br />
'''Alternative:''' Use Split DNS (internal DNS server resolving to private IPs) instead.<br />
<br />
== Troubleshooting NAT ==<br />
<br />
Remember these key troubleshooting steps:<br />
<br />
* '''First match wins''' — Rules are evaluated top-down<br />
* Ensure the correct interface is selected<br />
* Review firewall states (Diagnostics → States)<br />
* Verify Virtual IP configuration if applicable<br />
* Use Packet Capture for detailed inspection<br />
* See the troubleshooting section in the NAT chapter of the pfSense book<br />
<br />
== Summary ==<br />
<br />
* NAT rules are '''not''' firewall rules<br />
* Both are still matched in a top-down fashion<br />
* You still need firewall rules to allow traffic to pass<br />
* NAT Reflection is suboptimal — use an internal DNS server instead<br />
* 1:1 NAT can be host-to-host or network-to-network<br />
* NAT is interface-specific<br />
<br />
== Next Module ==<br />
<br />
Continue to '''[[Training_Lab_3:_NAT_and_Virtual_IPs|Lab 3: NAT and Virtual IPs]]''' for hands-on exercises configuring Virtual IPs, Port Forwards, 1:1 NAT, and Outbound NAT.<br />
<br />
----<br />
<br />
''Source: Netgate FUND001-LIVE-SLIDE-SEG3-NATVIP.pdf / FUND001-LIVE-Lab3-NATandVIPs.pdf''</div>Justinaquino