Multiple NAT

hoopy_frood · Jan 29, 2010, 11:38 AM

Hi there,

I'm testing pfSense, and using internal IPs and ports for firewall rules when using NAT really puzzles me.

I am having difuculties doing the following: Allowing access on different ports/IP's to the same internal host.

Server in LAN, ex: 10.10.10.10, port 80.
WAN interface with multiple IP addresses (Interface IP and virtual IP)

I want to do the following:

Interface IP, port 80 => 10.10.10.10:80
Interface IP, port 8080 => 10.10.10.10:80
Virtual IP, port 1234 => 10.10.10.10:80

Is this even possible to do with pfSense?
By using internal IP's and ports in the FW rules, I think pfSense simply can't do this, or can it?

Is there even a reason for using the internal addresses in firewall rules?
Other firewalls almost always do destination NAT after processing the FW rules. (Or at least have an options to do this.)

Best regards,

Hoopy Frood.

GruensFroeschli · Jan 29, 2010, 1:22 PM

The scenario with multiple NAT rules should work.
On pfSense the processing order is:
NAT –> Firewall
So basically for all the 3 NAT rules you need only one firewall rule.

hoopy_frood · Jan 29, 2010, 1:36 PM

@GruensFroeschli:

The scenario with multiple NAT rules should work.
On pfSense the processing order is:
NAT –> Firewall
So basically for all the 3 NAT rules you need only one firewall rule.

Hmm, I see.
So, this basically means I need to have exactly the same access rules for all the external ports that are NATed?

I interpret your answer as I can not make firewall rules that limit the use of certain external ports to certain souce IP's, and other ports to other IPs.
This seems to be a major limitation to me as this is actually what a firewall is supposed to do.

But thanks for your answer, anyway. ;-)

GruensFroeschli · Jan 29, 2010, 10:26 PM

I'm not sure i understand you.

What do you mean you cannot limit certain external ports to certain sources?
Of you course you can do that with the appropriate firewall rule.

Or could you maybe give an example of what you mean?

hoopy_frood · Feb 1, 2010, 8:47 AM

@GruensFroeschli:

I'm not sure i understand you.

What do you mean you cannot limit certain external ports to certain sources?
Of you course you can do that with the appropriate firewall rule.

Or could you maybe give an example of what you mean?

OK, Here's an example.
Imagine I have the following NAT rules:

Interface IP, port 80 => 10.10.10.10:80
Interface IP, port 8080 => 10.10.10.10:80
Virtual IP, port 1234 => 10.10.10.10:80

How can I:

Allow access from 123.123.123.123 to the Interface IP on port 80, without allowing the other ports?
And allow access from 111.111.111.111 to the virtual IP on port 1234, without allowing the other ports?

Best regards,

GruensFroeschli · Feb 1, 2010, 12:48 PM

~~Create two rules:
1: allow, source 123.123.123.123:any, destination 10.10.10.10:80
2: allow, source 111.111.111.111:any, destination 10.10.10.10:80

Of course you have to delete the autocreated firewall rules. Otherwise anyone will be allowed.
For the source you could also create an alias containing all the sources you want to allow and then use this alias as source.~~

edit: i see now what you mean.
I dont think this is possible with the gui.
But why would you want something like that?