Skip to main content

NAT: how private VMs reach the world

The VMs live on a private range that isn't routable on the internet. They still need to fetch packages, pull container images, and so on. pfSense handles that with outbound NAT: as a VM's traffic leaves for the internet, pfSense rewrites the source to its own public address and tracks the connection so replies find their way back.

VM 10.100.100.7  --(src rewritten)-->  pfSense  -->  internet
                 <--(reply mapped back)--        <--

Inbound is the opposite story: by default, nothing from the internet can initiate a connection to a private VM. The only things deliberately exposed are the HTTPS front door (handled by HAProxy) and SSH to the jump host. Everything else is unreachable from outside, which is exactly what you want.

Why we use this: NAT plus default-deny inbound is the cheapest, most reliable security posture there is — things are private unless you explicitly, knowingly publish them. You add exposure one deliberate rule at a time, rather than starting open and trying to close holes.

No comments to display

Back to top