[ previous ] [ next ] [ threads ]
 
 From:  Michael Brown <knightmb at knightmb dot dyndns dot org>
 To:  M0n0wall List <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] 1:1 or Server Nat
 Date:  Mon, 25 Sep 2006 21:12:09 -0500
Well basically with 1:1 NAT, all ports are basically auto-forwarded to 
the machine on the LAN and you decide which ports through the firewall 
rules will be "allowed", but with Server NAT, you have to assign which 
ports are forwarded to which machine & what firewall rules will allow 
those ports through.  The advantage of Server NAT is that you can assign 
one WAN address across multiple machines, but 1:1 NAT can only be 
assigned to one machine.  I use a combination of both, I use 1:1 for a 
game server and the server nat for my web, e-mail, and fax servers 
because it's 3 different machines, but I didn't want to use 3 WAN 
addresses for them.

Hopefully that will help you decide which is best for you to use.

Thanks,
Michael



Neil Schneider wrote:
> I'm configuring a multi-homed M0n0wall and I've gotten myself confused
> about which NAT to use. Here's an excerpt from config.xml that might
> help.
>
> <servernat>
>                        <ipaddr>3.2.1..27</ipaddr>
>                        <descr>mumble</descr>
> </servernat>
>
> <rule>
>                        <external-address>3.2.1.27</external-address>
>                        <protocol>tcp</protocol>
>                        <external-port>22</external-port>
>                        <target>1.2.3..102</target>
>                        <local-port>22</local-port>
>                        <interface>wan</interface>
>                        <descr>SSH to Debian</descr>
>                </rule>
>                <rule>
>                        <external-address>3.2.1..27</external-address>
>                        <protocol>tcp</protocol>
>                        <external-port>2004</external-port>
>                        <target>1.2.3..223</target>
>                        <local-port>2004</local-port>
>                        <interface>wan</interface>
>                        <descr/>
>                </rule>
>                <rule>
>                        <external-address>3.2.1..27</external-address>
>                        <protocol>tcp</protocol>
>                        <external-port>7650</external-port>
>                        <target>1.2.3.223</target>
>                        <local-port>7650</local-port>
>                        <descr/>
>                </rule>
>
> To summarize I have one IP address set to SERVERNAT and different
> ports forwarded to different machines.
>
> I also have another IP address 1:1 NAT to a machine in the DMZ   The
> xml configuration for ports doesn't ask for or include external IP
> addresses. So  a rule looks like this.
>
> <rule>
>                        <protocol>tcp</protocol>
>                        <external-port>20</external-port>
>                        <target>172.16.0.10</target>
>                        <local-port>20</local-port>
>                        <interface>wan</interface>
>                        <descr>FTP data</descr>
> </rule>
>
> I understand, obviously incorrectly that 1:1 nat is for cases where
> every connection will go to a single host internally and ServerNAT
> will establish a single IP on the external interface, that can be
> connected to different internal IP according to ports assigned in
> rules.
>
> I have proxy-arp turned on for the ServerNAT addresses, but not the
> 1:1 NAT addresses.
>
> Things don't work as I expect, including the inability to access the
> machine above at 3.2.1.27 or private IP 1.2.3.102 through SSH.
>
> Thanks in advance for any insights or corrections.