1:1 NAT (pronounced “one-to-one NAT”) maps one external IP address (usually public) to one internal IP address (usually private).
All traffic originating from that private IP address going to the Internet through the interface selected on the 1:1 NAT entry will be mapped by 1:1 NAT to the public IP address defined in the entry, overriding the Outbound NAT configuration.
All traffic initiated on the Internet destined for the specified public IP address on the mapping will be translated to the private IP address, then evaluated against the firewall ruleset on the inbound WAN interface. If matching traffic is permitted by the firewall rules to a target of the private IP address, it will be passed to the internal host.
1:1 NAT can also translate whole subnets as well as single addresses, provided they are of the same size and align on proper subnet boundaries.
The ports on a connection remain constant with 1:1 NAT; For outbound connections, the source ports used by the local system are preserved, similar to using Static Port on outbound NAT rules.
Risks of 1:1 NAT¶
The risks of 1:1 NAT are largely the same as port forwards, if WAN firewall rules permit traffic. Any time rules permit traffic, potentially harmful traffic may be admitted into the local network. There is a slight added risk when using 1:1 NAT in that firewall rule mistakes can have more dire consequences. With port forward entries, traffic is limited by constraints within the NAT rule and the firewall rule. If TCP port 80 is opened by a port forward rule, then an allow all rule on WAN would still only permit TCP 80 on that internal host. If 1:1 NAT rules are in place and an allow all rule exists on WAN, everything on that internal host will be accessible from the Internet. Misconfigurations are always a potential hazard, and this usually should not be considered a reason to avoid 1:1 NAT. Keep this fact in mind when configuring firewall rules, and as always, avoid permitting anything that is not required.
1:1 NAT Rule Options¶
When adding or editing a 1:1 NAT rule entry under Firewall > NAT on the 1:1 tab, each entry has the following options:
Controls whether this 1:1 NAT entry is active.
- Not BINAT (NOT)
When checked, this option excludes traffic matching this 1:1 rule from 1:1 NAT if it would otherwise match another rule below it in the ruleset.
The interface where the 1:1 NAT translation will take place, typically a WAN type interface.
The 1:1 NAT rule will only affect traffic entering and exiting this specific interface. If there are multiple WAN type interfaces, nudging traffic to use this interface may require static routing, policy routing, or equivalent configurations.
- Address Family
Choose between IPv4 and IPv6 based on the type of addresses to be used in the fields on this rule.
Though 1:1 NAT rules can be used with IPv6 in most cases IPv6 Network Prefix Translation (NPt) is a better fit for translating the prefix of IPv6 traffic.
- External subnet IP
The IP address to which the Internal IP address will be translated as it enters or leaves the Interface. This is typically a Virtual IP address on Interface, or an IP address routed to the firewall via Interface.
- Internal IP
The IP address behind the firewall that will be translated to the External subnet IP address. This is typically an IP address behind this firewall. The device with this address must use this firewall as its gateway directly (attached) or indirectly (via static route). Specifying a subnet mask here will translate the entire network matching the subnet mask. For example using
x.x.x.0/24will translate anything in that subnet to its equivalent in the external subnet.
Optional, a network restriction that limits the 1:1 NAT entry. When a value is present, the 1:1 NAT will only take effect when traffic is going from the Internal IP address to the Destination address on the way out, or from the Destination address to the External subnet IP address on the way into the firewall. The Destination field supports the use of aliases.
An optional text description to explain the purpose of this entry.
- NAT reflection
An override for the global NAT reflection options. Use system default will respect the global NAT reflection settings, enable will always perform NAT reflection for this entry, and disable will never do NAT reflection for this entry. For more information on NAT Reflection, see NAT Reflection.
Configuring a 1:1 NAT rule¶
To configure 1:1 NAT:
Add a Virtual IP for the public IP address to be used for the 1:1 NAT entry as described in Virtual IP Addresses
Navigate to Firewall > NAT, 1:1 tab
Click Add to create a new 1:1 entry at the top of the list
Configure the 1:1 NAT entry described in 1:1 NAT Rule Options
Click Apply Changes
Example Single IP Address 1:1 Configuration¶
This section demonstrates how to configure a 1:1 NAT entry with a single
internal and external IP address. In this example,
198.51.100.210 is a
Virtual IP address on the WAN interface. In most deployments this will be
substituted with a working public IP addresses. The mail server in this mapping
resides on a DMZ segment using internal IP address
10.3.1.15. The 1:1 NAT
entry to map 198.51.100.210 to 10.3.1.15 is shown in Figure
1:1 NAT Entry.
Example IP Address Range 1:1 Configuration¶
1:1 NAT can be configured for multiple public IP addresses by using CIDR ranges. In this example, 1:1 NAT is configured for a /30 CIDR range of IPs.
See CIDR Summarization for more information on summarizing networks or groups of IP addresses inside a larger subnet using CIDR notation.
The last octet of the IP addresses need not be the same on the inside and outside, but doing so makes it logically simpler to follow. For example, Table /30 CIDR Mapping Non-Matching Final Octet is also valid.
Choosing an addressing scheme where the last octet matches makes the layout easier to understand and hence maintain. Figure 1:1 NAT entry for /30 CIDR range shows how to configure 1:1 NAT to achieve the mapping listed in Table /30 CIDR Mapping Matching Final Octet.