1:1 NAT with Firewalla

Comments

7 comments

  • Avatar
    Firewalla

    Have you looked at https://help.firewalla.com/hc/en-us/articles/360046703673-Firewalla-Feature-Guide-Network-Manager#h_01EDNZSTWSTDX9PA34NM2NQKJF

    Firewalla does support multiple IP on the WAN side port forward them to hosts inside of your network. 

    There is also source NAT, support devices going out 

    0
    Comment actions Permalink
  • Avatar
    Norm Powroz

    I've gone through the documentation you referenced, and thanks for that pointer. However, in the section that discusses multiple IPs on the WAN side, there are two problems. One is that there is a limit of 5 IPs for a single WAN connection. That only incompletely supports a /29 subnet, but is totally inadequate for a /28. The second issue is that the document doesn't specifically show multiple ports being forwarded to different internal servers. The "Internal port" part of the document shows "Device -- Not set", so the example is incomplete, and therefore not really clear as to whether this is supported.

    I have no interest in source NAT, as my connection to my ISP doesn't support it. My modem has its own IP address, and all outbound traffic uses that address, regardless of which of my internal servers sent the packet. It causes a little confusion in configuring some protocols such as MX connections, but it all works in the end. 

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    How many IP's do you need to be forwarded? the 5 is not based on subnet, it is based on either memory or CPU. 

    As of "multiple ports being forwarded to different internal servers", (you can tap on the device not set to change internal device, that part is just the UI saying you haven't selected anything)

    0
    Comment actions Permalink
  • Avatar
    Norm Powroz

    I currently have 13 IPs being forwarded to various servers behind my firewall, and another 5 or 6 that are not currently in use, but could be assigned on short notice. There is a mix of ports being forwarded, including HTTP/HTTPS to several servers, SSH (to a couple of Linux servers), SMTP to different e-mail servers, various database protocols (1433 to SQL, 3306 to Oracle, plus MySQL/MariaDB). and FTP (with support for passive FTP). I even run RDP to a couple of virtual desktops so that clients can demo some of the software under development. This last category changes frequently as various test machines get put up or taken down.

    0
    Comment actions Permalink
  • Avatar
    Norm Powroz

    Things have been very quiet here since my last post. I think it kind of brings us back to the original question I raised -- given my configuration, what model of Firewalla should I be looking at, or should I be looking elsewhere for a solution?

    0
    Comment actions Permalink
  • Avatar
    Support Team

    Sorry for the confusion in the example UI. You can set the device to any local device, so port forwarding from a certain WAN IP to your internal servers could work as you wish. Additionally, you can specify which sources (e.g., IP/IP Range/Region) are allowed to access the port from outside. 

    As for the /28 subnet, the Gold models currently support only up to 5 additional WAN IPs, while Gold Pro (now in pre-order) supports 1 + 10 additional WAN IPs. We may potentially increase the limit, but as mentioned above, it depends on the device's CPU/memory. May I know which Netgear model you are using? 

    0
    Comment actions Permalink
  • Avatar
    Norm Powroz

    Right at the moment I'm running the NETGEAR ProSafe VPN Firewall FVS338. I also have the FVS336 and I occasionally swap the two around, mainly if I am making substantial changes to the configuration. I can re-program one off-line then swap them quickly, which minimizes any downtime, and limits the scope of any mistake I might make. It means I also always have a ready backup in case of failure.

    I very much like the NetGear boxes, especially for their ease of programming for NAT and port forwarding. I was quite surprised when NetGear decided to exit that segment of the market, especially given the quality of their equipment.

    0
    Comment actions Permalink

Please sign in to leave a comment.