Network Address Translation¶
In its most common usage, Network Address Translation (NAT) allows multiple computers using IPv4 to be connected to the Internet using a single public IPv4 address. pfSense® software enables these simple deployments, but also accommodates much more advanced and complex NAT configurations required in networks with multiple public IP addresses.
NAT is configured in two directions: inbound and outbound. Outbound NAT defines how traffic leaving a local network destined for a remote network, such as the Internet is translated. Inbound NAT refers to traffic entering a network from a remote network. The most common type of inbound NAT is port forwards, which is also the type many administrators are most familiar with.
Hangouts Archive to view the May 2016 Hangout on NAT with pfSense software version 2.3 and the earlier August 2014 Hangout on Network Address Translation.
Default NAT Configuration¶
This section describes the default NAT configuration present on pfSense software. The most appropriate NAT configuration that can be determined is generated automatically. In some environments, this configuration may not be suitable, and pfSense software fully enables changing it from the web interface. This is a contrast from many other open source firewall distributions, which do not allow the capabilities commonly required in all but small, simple networks.
Default Outbound NAT Configuration¶
In a typical two-interface setup with LAN and WAN, the default NAT configuration automatically translates Internet-bound traffic to the WAN IP address. When multiple WAN interfaces are configured, traffic leaving any WAN interface is automatically translated to the address of the WAN interface being used.
Static port is automatically configured for IKE (part of IPsec). Static port is covered in more detail in Outbound NAT about Outbound NAT.
For detecting WAN-type interfaces for use with NAT, pfSense software looks for the presence of a gateway selected on the interface configuration if it has a static IP address, or pfSense software assumes the interface is a WAN if it is a dynamic type such as PPPoE or DHCP.
Default Inbound NAT Configuration¶
By default, nothing is allowed in from the Internet on the WAN interface. If traffic initiated on the Internet must be allowed to reach a host on the internal network, port forwards or 1:1 NAT are required. This is covered in the coming sections.