1 : 1 NAT in pfSense and DD-WRT

Sometimes you need to map internal machine IP to real IP address accessible from the Internet.As on the diagram if someone makes a request to, the request is send to

On DD-WRT you can use DMZ. This service is pseudo-DMZ, more commonly known outside of the SoHo routes as Exposed host.

To set is up enter the NAT / QoS section, then select the DMZ subsection, and configure your internal IP. For more information read here

Be warned that exposing all port of a machine to the Internet is very insecure, and even worse if the machine does not have some kind of firewall.

In pfSense, the alternative is to use VIP and 1:1 NAT

You can’t do that in 1.2.3, if you have only one WAN IP, if you do an error message appears: “The WAN IP address may not be used in a 1:1 rule”. Alternative is to make a port forward, which is much more preferable especially if not all ports are included.

So first you must add your additional WAN IP in the Virtual IP section.

For Type you can choose between Proxy ARP and CARP, detailed explanation why check out here

Then create a 1 : 1 NAT rule

Nothing special in the configuration, just enter your internal and external IPs and description for the rule.

You must make a firewall rule for all this to work, enter the internal LAN IP address as destination.

On pfSense 2.0 RC1, except the huge amount of new options the only difference is the new option in the Virtual IP type selection. The IP Alias works fine in this setup. The other good news is that even if you have only one WAN IP address you can use is in such setup. The bad news is that you do use it you can’t use your WAN IP for anything else, all port on the WAN IP are mapped to the machine on the LAN.

Alright so far this was the case if you have need to publish only one IP, but if you need to do this for multiple machine and have more than one WAN IP address, the procedure is a little different.

On pfSense you just repeat the procedure as many times as you need.

On DD-WRT you can add some iptables rules.

Add these lines to the Startup script:


ifconfig $WANIF:1 netmask broadcast

This adds the new WAN Ip to the Interface

Add these lines to the Firewall script:

iptables -t nat -I PREROUTING -d -j DNAT –to-destination

iptables -t nat -I POSTROUTING -s -j -p all SNAT –to-source

iptables -I FORWARD -d -p all –dport all -j ACCEPT – this is the WAN IP address – this is the LAN IP address

Add these lines for as many IP as you have / need. More on the topic here.

In conclusion, this is a very quick and dirty way to publish internal machine to the internet, bear in mind that this host is fully exposed to anybody on the Internet. I personally don’t recommend this way of publishing, but if need arise you can consider this an option. In future posts I will try to present more smart and safe ways to publish some service.

Comments (3)

  1. 11:16 am, 23/04/2011mfq  / Reply

    1:1 nat for 2.0RC1 do not work!

  2. 12:49 pm, 23/04/2011Stefan  / Reply

    Hi, yes it does, did you reboot the pfSense after you configured it?
    I’ve just verified it in my lab. After reboot is it OK.

  3. 11:04 pm, 14/01/2012dental marketing  / Reply

    Really interesting articles. I enjoyed reading it.

Leave a Reply

Allowed Tags - You may use these HTML tags and attributes in your comment.

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Pingbacks (2)

  1. 1:49 am, 17/01/2012Favicon of www.9divZDSr.orgMy Homepage
  2. 11:29 am, 17/03/2012Favicon of www.YRUUK.comHomepage