Monitor NAT rules

Shan lapierre

Hi everyone. I configured PFsense to receive traffic to my firewall on a specific port from a specific public IP.
I created both a NAT rule and a firewall rule.
Everything is working (so the external traffic reaches me on an endpoint inside my network that is listening on that specific port).
What I don't understand is that if I go into the firewall rules I don't see the number of packets increasing in the rule I defined. And if I remove the NAT rule, the traffic continues to come to me.
How is it possible?
There is a way to analyze traffic coming over the NAT.
I have already looked in Status-->System logs (also using the filters on the source public IP or destination IP, but I can't find anything).
How is it possible?
Thank you

Bob.Dig

@Shan-lapierre You have to Reset the firewall state table if you want to see immediate results of your changes.

Shan lapierre

@Bob-Dig said in Monitor NAT rules:

@Shan-lapierre You have to Reset the firewall state table if you want to see immediate results of your changes.

Hi, can you Tell me how to do that?
In others cases I didn't need to reset anything to see rule correctly matched.
Anyway let try.

viragomann

@Shan-lapierre said in Monitor NAT rules:

What I don't understand is that if I go into the firewall rules I don't see the number of packets increasing in the rule I defined.

This doesn't count packets. It just shows states and bytes.

And if I remove the NAT rule, the traffic continues to come to me.

As long as the connection persists, it can be used, even if the rule was already removed.

Resetting states can be done in Diagnostic > States

Shan lapierre

HI, figured out.
The envolved rule is NAT one because it pass directly (because is not associated to any rules).
Just a question.
If i try to link this NAT to a rule, I can only choose from "WAN" rules and not from "FLOATING" rules.
Is this a normal behaviour?

Regards

viragomann

@Shan-lapierre
You configure the NAT rule on a certain interface. Why should it add a floating rule then?

Shan lapierre

@viragomann Sorry for probably dummy question. I was asking me why I can link nat rule to a Wan rule and not to a floating rule.
That's all.

Nat rules take precedence to a floating rules?
Regards

viragomann

@Shan-lapierre said in Monitor NAT rules:

Nat rules take precedence to a floating rules?

NAT rules do net address translation. Floating or normal firewall rules do firewalling.
NAT port forwarding is done before firewalling.

See the docs: Firewall/NAT Processing Order Example

Gertjan

@Shan-lapierre said in Monitor NAT rules:

The envolved rule is NAT one because it pass directly (because is not associated to any rules).

Really ?
You want to make something that doesn't exist in the manual ?

When you create a NAT rule :

the needed "WAN" firewall rule will also be created (and is linked to the NAT rule).

At the bottom of the rule you can find this :

This is my NAT rule where I give access to two devices (servers, somewhere on the Internet, designated with the alias SYS & VPS, to my internal (on LAN) NAS.

You could do this : edit the firewall rule that was created with the NAT rule :

and check "Log ... ".

From now on : go here : The firewall log :

This :

also shows the packets passed, states etc.

Shan lapierre

@Gertjan said in Monitor NAT rules:

@Shan-lapierre said in Monitor NAT rules:

The envolved rule is NAT one because it pass directly (because is not associated to any rules).

Really ?
You want to make something that doesn't exist in the manual ?

When you create a NAT rule :

the needed "WAN" firewall rule will also be created (and is linked to the NAT rule).

At the bottom of the rule you can find this :

This is my NAT rule where I give access to two devices (servers, somewhere on the Internet, designated with the alias SYS & VPS, to my internal (on LAN) NAS.

You could do this : edit the firewall rule that was created with the NAT rule :

and check "Log ... ".

From now on : go here : The firewall log :

This :

also shows the packets passed, states etc.

Thank you for reply.
Anyway, manual say this:

And infact my NAT rule was created whit "Pass" flag and pf doesn't created any fw rule.

Gertjan

@Shan-lapierre said in Monitor NAT rules:

And infact my NAT rule was created whit "Pass" flag and pf doesn't created any fw rule.

I'm still looking for a usage of that "Pass" case ^^

Normally, a NAT rule translates traffic coming (initiated) somewhere on 'the WAN' (the Internet) and the address (WAN IP) (and port) has to be mapped == translated (a,d port) to a LAN addresses, so it can reach this device.
This needs of course a WAN 'firewall' rules, as by default nothing can enter the WAN - everything is blocked by default.
A NAT rule without an accompanying firewall rule .... won't work, as traffic will never reach the NAT rule, as traffic can not enter into the WAN interface.

I'm not saying other types of NAT exit, they do.

From what I've read :

receive traffic to my firewall on a specific port from a specific public IP.

Everything is working (so the external traffic reaches me on an endpoint inside my network that is listening on that specific port).

your use the classic method, and you need a auto generated firewall rule on the WAN interface.