1:1 NAT with Firewalla
I know this has been asked, and may have been answered, but I want to be very clear about the support before I commit to buying a new router.
The context -- I have a /28 subnet coming in to my network, so I have about a dozen different IP addresses that are active at any time on the inbound side. Behind this, I have about 20 virtual servers, many of which are accessible from the outside world. These include multiple e-mail and web servers, so I am routing the same port number to different machines, a la "HTTP traffic on this incoming IP address goes to machine A, but HTTP traffic on this other IP address goes to machine X". The configuration can change fairly frequently -- test and demo systems get put up and taken down as development work progresses and customers get shown works in progress.
My current firewall/router is an older Netgear device that very nicely supports 1:1 NAT, so I can route various protocols from various addresses to various internal machines. Outbound traffic all shows as coming from the same IP address, as that is the way my vendor configures the modem. I can live with that, as it has worked fine for many years. The modem operates in bridge mode, so all the inbound IP addresses are passed to the router, and distributed to the network from there. Establishing the routings is dead simple on this box, so I'm looking for similar support, and similar simplicity.
I want to be able to drop in a replacement for the Netgear box, have all the same functionality for easy routing, and hopefully gain better performance and tighter security. So, that brings us to the question (finally) -- will some model of Firewalla box do this, or should I be looking elsewhere, such as to a PfSense/OpnSense device?
Cheers
Norm
-
Have you looked at https://help.firewalla.com/hc/en-us/articles/360046703673-Firewalla-Feature-Guide-Network-Manager#h_01EDNZSTWSTDX9PA34NM2NQKJF
Firewalla does support multiple IP on the WAN side port forward them to hosts inside of your network.
There is also source NAT, support devices going out
-
I've gone through the documentation you referenced, and thanks for that pointer. However, in the section that discusses multiple IPs on the WAN side, there are two problems. One is that there is a limit of 5 IPs for a single WAN connection. That only incompletely supports a /29 subnet, but is totally inadequate for a /28. The second issue is that the document doesn't specifically show multiple ports being forwarded to different internal servers. The "Internal port" part of the document shows "Device -- Not set", so the example is incomplete, and therefore not really clear as to whether this is supported.
I have no interest in source NAT, as my connection to my ISP doesn't support it. My modem has its own IP address, and all outbound traffic uses that address, regardless of which of my internal servers sent the packet. It causes a little confusion in configuring some protocols such as MX connections, but it all works in the end.
-
How many IP's do you need to be forwarded? the 5 is not based on subnet, it is based on either memory or CPU.
As of "multiple ports being forwarded to different internal servers", (you can tap on the device not set to change internal device, that part is just the UI saying you haven't selected anything)
-
I currently have 13 IPs being forwarded to various servers behind my firewall, and another 5 or 6 that are not currently in use, but could be assigned on short notice. There is a mix of ports being forwarded, including HTTP/HTTPS to several servers, SSH (to a couple of Linux servers), SMTP to different e-mail servers, various database protocols (1433 to SQL, 3306 to Oracle, plus MySQL/MariaDB). and FTP (with support for passive FTP). I even run RDP to a couple of virtual desktops so that clients can demo some of the software under development. This last category changes frequently as various test machines get put up or taken down.
-
Sorry for the confusion in the example UI. You can set the device to any local device, so port forwarding from a certain WAN IP to your internal servers could work as you wish. Additionally, you can specify which sources (e.g., IP/IP Range/Region) are allowed to access the port from outside.
As for the /28 subnet, the Gold models currently support only up to 5 additional WAN IPs, while Gold Pro (now in pre-order) supports 1 + 10 additional WAN IPs. We may potentially increase the limit, but as mentioned above, it depends on the device's CPU/memory. May I know which Netgear model you are using?
-
Right at the moment I'm running the NETGEAR ProSafe VPN Firewall FVS338. I also have the FVS336 and I occasionally swap the two around, mainly if I am making substantial changes to the configuration. I can re-program one off-line then swap them quickly, which minimizes any downtime, and limits the scope of any mistake I might make. It means I also always have a ready backup in case of failure.
I very much like the NetGear boxes, especially for their ease of programming for NAT and port forwarding. I was quite surprised when NetGear decided to exit that segment of the market, especially given the quality of their equipment.
Please sign in to leave a comment.
Comments
7 comments