IPv4 outbound NAT: usecase for a non /32 translation target

Started by daudo, May 18, 2025, 11:20:46 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 18, 2025, 11:20:46 AM
Hi,

I am just refactoring a couple of our firewalls and doing so, I stumbled upon how outbound NAT has been configured so far.

Some of our outbound translation targets have x.x.x.x/32, whereas some have x.x.x.x/28 for example. Both settings work, apparently, and if I use dig to find out what IP address they are translated to, I get

- for a x.x.x.x/32 translation target:
$ dig +short myip.opendns.com @resolver1.opendns.com
x.x.x.x

- for a x.x.x.x/28 translation target:
$ dig +short myip.opendns.com @resolver1.opendns.com
x.x.x.0

So far so good, but I am confused: why would I ever specify anything else but a /32 host address as a translation target? What's the usecase for such a scenario?
May 18, 2025, 04:32:58 PM #1
If you have a public IPv4 subnet (like a /28) and not just a single address, you can balance outbound NAT connections across multiple addresses. That's especially useful if you have many clients.

The 'Pool Options' setting specifies how connections are balanced.

Cheers
Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
May 18, 2025, 10:35:16 PM #2
thanks, this makes sense!
Print
Go Up Pages1
User actions