Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT source and destination ?

    NAT
    2
    4
    5.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      yellowmonkey
      last edited by

      I am trying to setup a pFsense 2.0.1 box to replace a failed Nokia/Checkpoint firewall and I am having some issues with the NAT in pfSense which I need help with.

      On Checkpoint it is possible to NAT both the source and destination of a packet, I have been trying to set this up on the pfSense firewall but cannot get anything similar.

      What I want to achieve is similar to this;

      original packet:
      source : 10.1.1.30 > destination : 10.1.1.49

      translated (natted) packet:
      source : 192.168.1.13 > destination 192.168.1.91

      So this works as follows

      A client on the internal network with an ip 10.1.1.30 wants to connect to a FTP server 192.168.1.91, but as the destination server IP changes often we do not want to keep changing the clients ftp destination address so we use the internal IP 10.1.1.49 which is an alias (or proxy arp) on the LAN interface. The ftp server will only allow access from the 192.168.1.x range so we need to make sure the source address is natted to an IP on the 192.168.1.x range (not the WAN interface IP!). So this means we first have to nat the destination 10.1.1.49 > 192.168.1.91 but also then the source 10.1.1.30 > 192.168.1.13.

      So the nat rule looks like

      original                                                                          translated
      source              destination          service                        source                      destination          service
      10.1.1.30          10.1.1.49            ftp                            192.168.1.13              192.168.1.91        ftp

      pfSense LAN is 10.1.1.27, WAN is 192.168.1.1

      I cannot see any way of doing this, please can anyone more experienced in pfSense NAT help.

      Thanks for looking.

      1 Reply Last reply Reply Quote 0
      • Y
        yellowmonkey
        last edited by

        Ok just a bit of an update for all of you who have viewed this thread, I have still not managed to do this on the pfSense but I was able to do this on a Cisco ASA firewall using Twice-NAT and by the following command;

        nat (any,any) after-auto source static 10.1.1.30 192.168.1.13
        destination static 10.1.1.49 192.168.1.91 unidirectional

        Does anyone here know how to achieve this on the pfSense ?

        Thanks again for looking.

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          For egress traffic, you can change the source IP with outbound NAT, and the destination IP with port forwards.

          1 Reply Last reply Reply Quote 0
          • Y
            yellowmonkey
            last edited by

            Yes I understand but how do I combine both outbound NAT and port forward for the same packet ?

            Do I first create an outbound nat rule to convert src:10.1.1.30 dst:10.1.1.49 to src:192.168.1.13 dst:10.1.1.49
            and then add a port forward for 10.1.1.49 to 192.168.1.91 ?

            What would the way of doing this and what interface would the NAT/PF rules be on INT, EXT ?

            And how would the incoming packet be natted, would it be the same in reverse or would I need to configure new nat rules for this ?

            Sorry if this is basic stuff but I am completely new to pfSense way of doing nat (and to be truthful the documentation does not help much).

            Thanks

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.