DIfference between NAT and Rules ! Am going Crazy

techtra · May 4, 2009, 3:08 PM

Hello Guys I am a new PFsense User I love it very much but however It Seems like you have to setup a Firewall rule for each NAT rule you have ? I added a second extension to make it my Wifi Subnet. I can't get it to work.
Thanks

GruensFroeschli · May 4, 2009, 3:17 PM

Please rephrase your question.
First your talking about rules, then about about wifi.

What is your setup? What are you trying to achieve in the end?

Yes NAT has different rules than the firewall.
They are actually two entirely different things.
One changes in frames passing through the firewall the source/destination, and the other controls which frames are allowed.
There is the checkbox: "autocreate firewall rule" when you create a new NAT rule.

Bern · May 4, 2009, 3:45 PM

I'd agree with GruensFroeschli;

Inbound NAT controls the "port forwarding"
Inbound rules govern that use of the forwarded port.

You can have NAT without a rule (eg. for a public HTML server in your DMZ)

You can rules without NAT (eg. controlling where ping is allowed from).

Typically you will combine the two.

Note that the rules apply to the result of forwarding, so if you have a public ip address of "a.b.c.d" and rule that forwards incoming a.b.c.d:8080 to 192.168.1.2:80, your corresponding rule will apply to 192.168.1.2:80, not a.b.c.d:8080.

I think once you've made the mental separation in your head, you'll see that this is the right way of doing it.

As GruensFroeschli says, you can auto-create the rule when creating the NAT entry.

techtra · May 5, 2009, 8:28 PM

ok My other question is how can I add a computer into a DMZ Zone ? Opening all ports for testing purposes. there is no such thing as all ports ! I see I have to open each individual ports.
and My MSN Video capapbility can't seems to work this is why I wanted to try this DMZ Zone.

thanks

GruensFroeschli · May 5, 2009, 9:19 PM

Forget about terms like "DMZ-zone".
pfSense is a real firewall and not a cheap soho router you can get off the shelf in the market at your corner.

I assume you dont have multiple public IPs and thus cannot make us of 1:1 NAT.

If you want to forward multiple ports you can:
a: forward a range. Simply set the "External port range: from" and the "External port range: to"
b: use aliases. You can insert in all fields with a red background the name of an alias you created. An alias can contain multiple single ports and ranges.

Eugene · May 7, 2009, 12:26 AM

@GruensFroeschli:

You can insert in all fields with a red background the name of an alias you created. An alias can contain multiple single ports and ranges.

Forgive me my ignorance - how do I create alias for port range or multiple single ports???
In Aliases I have only hosts/networks options (pfSense-1.2)
Thanks.

GruensFroeschli · May 7, 2009, 1:16 AM

Is the note really that hard to find?

Enter as many ports as you wish. Port ranges can be expressed by seperating with a colon.

Just press the + button to add multiple single ports/ranges.

Eugene · May 7, 2009, 1:44 AM

@GruensFroeschli:

Is the note really that hard to find?

Enter as many ports as you wish. Port ranges can be expressed by seperating with a colon.

Just press the + button to add multiple single ports/ranges.

Sorry again, but may be it would not be really hard to find if I new where to search.
I do not have these words neither in Firewall->Aliases->Add new nor in Friewall->Rules->Add new…
I understand that I look stupid but I was searching for this feature long time ago and could not find it. And I would be happy to use this functionality of pfSense. Please - where?

GruensFroeschli · May 7, 2009, 8:58 AM

What version are you running?
Maybe it's time to update :D

It's under Firewall->Aliases->Add
See the attached screenshot :)

Eugene · May 7, 2009, 12:28 PM

Confirmed - I am stupid.
Thank you very much.

techtra · May 7, 2009, 3:58 PM

ok Pf Sense Block Video Ability for my network. so I can Only forward the port to only 1 pc ? it's anoying because I have 3 different computers that I might want to chat and do Video conference with. Any Advice ?
Thanks

GruensFroeschli · May 7, 2009, 4:27 PM

If you think forwarding ports only to one pc is only a limitation of pfSense find me any NAT capable device that is capable for forwarding frames to multiple PCs.
And then i'd like to see the mess your network ends in :p

Your options are to enable upnp, or configure your clients with different ports.

techtra · May 7, 2009, 4:41 PM

ok thanks, I never said it's a PF sense Limitation. Can you guide me withthe UPNP a little bit ?
thanks

GruensFroeschli · May 8, 2009, 6:29 AM

Your software has to support upnp as well.
If it does:
Just enable it and you're good.