FortiGate IP Pool Overload vs One-to-One: Decoding NAT Architecture Decisions
.
FortiGate IP pool overload versus one-to-one NAT modes explained: technical differences, use cases, and configuration guidance for network architects.
The Architecture Question Behind Every FortiGate Deployment
Network engineers configuring FortiGate firewalls routinely encounter a deceptively simple choice: select "Overload" or "One-to-One" when defining an IP pool for source NAT. The decision appears administrative, yet it carries profound implications for session scalability, application compatibility, and operational troubleshooting. This investigation examines the technical mechanics, deployment scenarios, and hidden constraints that separate these two NAT paradigms within FortiOS.
Core Technical Distinctions: Port Translation versus Direct Mapping
Overload Mode: Maximizing Address Efficiency Through PAT
Overload mode implements port address translation (PAT), enabling numerous private IP addresses to share a limited set of public addresses. Each outbound connection receives a unique source port assignment from the available range—typically ports 5117 through 65533, yielding approximately 60,416 usable ports per public IP address. The FortiGate dynamically allocates these ports across concurrent sessions, tracking each flow via the five-tuple: source IP, source port, destination IP, destination port, and protocol.
When an IP pool contains multiple public addresses, the device employs a deterministic wrap-around algorithm. The mapped external address derives from the source IP's decimal value modulo the pool size, ensuring consistent translation for a given internal host. This approach scales efficiently: a two-address overload pool theoretically supports over 120,000 simultaneous connections, constrained only by available ports and system resources.
One-to-One Mode: Dedicated Address Assignment Without PAT
One-to-one mode disables port translation entirely. Each internal IP address receives a fixed, exclusive mapping to a specific external address from the pool. If the pool defines addresses 203.0.113.10 through 203.0.113.12, only three internal hosts can utilize this pool simultaneously. The FortiGate assigns mappings sequentially: the lowest internal IP in the policy's source address object maps to the lowest external IP in the pool, incrementing upward.
This direct correspondence proves essential for applications requiring consistent source identity. Email servers, for instance, often face deliverability issues when outbound messages originate from an IP address mismatched with the domain's MX record. Anti-spam systems frequently flag such discrepancies. One-to-one NAT ensures the public-facing address aligns precisely with DNS expectations, eliminating a common vector for false-positive spam classification.
Configuration Nuances and Operational Considerations
Implementation Requirements
Configuring overload mode requires minimal specification; it represents the default behavior when creating an IP pool. Administrators define the external address range and reference the pool within a firewall policy. One-to-one mode demands explicit declaration via the type one-to-one parameter in CLI configuration or equivalent GUI selection.
Critical to predictable one-to-one operation: the source address object in the firewall policy must contain exactly the same number of internal IPs as the pool contains external addresses. A mismatch introduces ambiguity in mapping logic, potentially yielding unexpected translation behavior.
Mixed Pool Behavior in Single Policies
FortiOS permits assigning multiple IP pools—potentially mixing overload and one-to-one types—to a single firewall policy. The system processes pools sequentially: the first pool exhausts its available resources before the second engages. For overload pools, exhaustion occurs when all source ports across all addresses are allocated. For one-to-one pools, exhaustion happens when every external address has an assigned internal host.
This sequential consumption model enables tiered NAT strategies. An administrator might prioritize a dedicated one-to-one pool for critical servers, then fall back to an overload pool for general user traffic. However, the rigid ordering demands careful planning; misconfigured pool sequences can inadvertently starve high-priority services of address resources.
Network Layer Dependencies
Using IP addresses not assigned to the FortiGate's physical interface introduces ARP considerations. Enabling the "ARP Reply" option forces the device to respond to ARP requests for pool addresses on any interface. While necessary for proper routing, this setting requires verification: unintended ARP responses can disrupt adjacent network segments or trigger security monitoring alerts.
ISP infrastructure presents another subtle constraint. Some providers bind public IP addresses to specific MAC addresses in their ARP tables. When a FortiGate presents multiple public IPs from a single MAC, connectivity may fail until the provider updates their tables. Troubleshooting such scenarios often requires coordination with the ISP's network operations team.
Performance and Scalability Implications
Overload mode maximizes address utilization but introduces port management overhead. Each session consumes a source port; high-connection-volume environments may exhaust available ports despite having unused public addresses. Monitoring session counts and port allocation becomes essential for capacity planning.
One-to-one mode eliminates port contention but sacrifices scalability. Each additional internal host requires a corresponding public address—a scarce and costly resource in many deployments. This mode suits targeted applications rather than broad user populations.
Neither mode inherently burdens CPU or memory disproportionately under typical loads. Performance divergence emerges primarily from session table growth: overload deployments generate more concurrent sessions per public address, potentially increasing state table size. Modern FortiGate hardware accelerates NAT operations via dedicated NP7 or NP6 processors, mitigating this concern for most enterprise workloads.
Frequently Asked Questions
When should I choose overload mode versus one-to-one for outbound NAT?
Select overload mode for general user internet access where address conservation matters. Choose one-to-one mode when specific applications—such as mail servers, licensing systems, or compliance-mandated services—require a consistent, dedicated public IP identity.
Can I mix overload and one-to-one pools in the same policy?
Yes, FortiOS supports multiple IP pools per policy. The system consumes resources from the first pool until exhaustion before utilizing the second. Plan pool order deliberately to ensure critical services receive priority address allocation.
Why does connectivity fail after configuring a new one-to-one IP pool?
Common causes include mismatched address object sizes (internal IPs must equal external pool addresses), missing ARP reply configuration for non-interface addresses, or ISP-level ARP binding issues. Verify pool-to-address-object alignment and coordinate with your provider if multiple public IPs share a single MAC address.
Does one-to-one mode improve application compatibility?
It can. Applications that embed source IP addresses in payloads, perform reverse DNS lookups, or enforce IP-based licensing often function more reliably with dedicated public addresses. Overload mode's port translation may interfere with such protocols, though most modern applications handle PAT transparently.
How does FortiGate determine which external IP to assign in an overload pool with multiple addresses?
The device calculates the mapped address using the source IP's decimal value modulo the pool size. This deterministic algorithm ensures consistent translation for a given internal host across sessions, simplifying troubleshooting and log correlation.