Netgate SG-1000 microFirewall

Author Topic: How to handle dynamic public ip when configuring 1:1 nat?  (Read 261 times)

0 Members and 1 Guest are viewing this topic.

Offline maus

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
How to handle dynamic public ip when configuring 1:1 nat?
« on: January 13, 2018, 08:09:59 am »
My ISP supports up to 5 PPPOE connections in the same time and I could get 5 public ip addresses. My network is like this:

pfSense
----Wan1:PPPoe,public ip1;
----Wan2:PPPoe,public ip2;
----Wan3:PPPoe,public ip3;
----Wan4:PPPoe,public ip4;
----Wan5:PPPoe,public ip5;

----Lan (10.0.0.1/24)---- Switch----other devices.

Now I'd like to set 1:1 nat between PC1(10.0.0.21/24) and public ip2 so my PC1 could get FullCone nat type. I have almost got it work except one thing: The public ip addresses got by PPPoe is DYNAMIC   ??? ,which change periodically. And in the 1:1 nat setting page, the External subnet IP could only be static which means it has to be reconfigured whenever the public ip changed. Any workaround about this ?  :'(

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21571
  • Karma: +1471/-26
    • View Profile
Re: How to handle dynamic public ip when configuring 1:1 nat?
« Reply #1 on: January 19, 2018, 02:00:49 pm »
You cannot use 1:1 NAT with dynamic addresses.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline maus

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Re: How to handle dynamic public ip when configuring 1:1 nat?
« Reply #2 on: January 26, 2018, 02:55:48 am »
You cannot use 1:1 NAT with dynamic addresses.

Thanks for reply jimp.I'm reading "pfSense: The Definitive Guide" these days and now I know 1:1 NAT only works with static address .But what if we think in a different way ? Like running a cron script to detect the public ip addresses of wan ports to see if they changed and auto fresh the NAT rules . The problem is that pfSense has always stressed that all the configuration could be done in webui and very few documents about cli config is touched .  Any docs about it ?    :P

Offline dwasifar

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
Re: How to handle dynamic public ip when configuring 1:1 nat?
« Reply #3 on: February 01, 2018, 12:34:08 pm »
You cannot use 1:1 NAT with dynamic addresses.
But what if we think in a different way ? Like running a cron script to detect the public ip addresses of wan ports to see if they changed and auto fresh the NAT rules . The problem is that pfSense has always stressed that all the configuration could be done in webui and very few documents about cli config is touched .  Any docs about it ?    :P

You couldn't run that cron job frequently enough.  Even if you set the script to run every five minutes, your connections would still be down an average of 2.5 minutes if the dynamic IP changed.  And who knows what would happen to existing user sessions when that script changed the config on the fly. 

Can't your ISP provide static IPs?

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21571
  • Karma: +1471/-26
    • View Profile
Re: How to handle dynamic public ip when configuring 1:1 nat?
« Reply #4 on: February 01, 2018, 01:14:31 pm »
Or use specific port forwards and outbound NAT.

1:1 NAT is just a shortcut that makes port forwards for all ports and outbound NAT for the address internally in pf.

Ignore 1:1 NAT for dynamics. It's not possible and more trouble than it's worth.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline maus

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Re: How to handle dynamic public ip when configuring 1:1 nat?
« Reply #5 on: February 02, 2018, 07:03:38 am »
You cannot use 1:1 NAT with dynamic addresses.
But what if we think in a different way ? Like running a cron script to detect the public ip addresses of wan ports to see if they changed and auto fresh the NAT rules . The problem is that pfSense has always stressed that all the configuration could be done in webui and very few documents about cli config is touched .  Any docs about it ?    :P

You couldn't run that cron job frequently enough.  Even if you set the script to run every five minutes, your connections would still be down an average of 2.5 minutes if the dynamic IP changed.  And who knows what would happen to existing user sessions when that script changed the config on the fly. 

Can't your ISP provide static IPs?

My ISP only provides static IPs in expensive enterprise plan which is not a good deal for my family use .  On the other side, my IPs  refresh exactly every 96 hours ,long enough to treat it as "static" if we could auto fresh the NAT rules wisely and minimize the impact from temporary down connections ,that's why I'm seeking for a work around here  ;)