Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Source NAT at the incoming interface

    Scheduled Pinned Locked Moved NAT
    4 Posts 3 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wisgard
      last edited by

      Hello pfSense community,

      at the moment I notice bug or missing feature in the NAT options. I would like to do locally NAT. In my special environment my source and destination systems should not know each other. So I implement NAT in my local network. I always do three steps for nating and masquerade.

      I create a NAT Forward rule with the original source ip with the destination This Firewall and redirect to the future destination ip and do a filter rule association on the incoming interface.  Afterwards I create an NAT Outbound to masquerade the original source ip address on the outgoing interface. So my automatic firewall rule matches the original source and original destination ip address.
      Everything looks to be working. The client could communicate via NAT with the server by access the Firewall IP in the same subnet (This Firewall) without a route or default gateway. The server doesn’t know the source for answering the request. Now I add a route or default gateway on the client to the server, the client could also communicate with the server. The firewall rule (NAT - filter rule association) is matching. But the client should not be able to communicate with the server by a route or gateway. Only NAT should be work.

      Is there a way to do Source NAT in the NAT Forward ruleset / incoming interface? So there is a redirect and a masquerade of the original source ip?

      Thanks,

      Roy

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Port forwards (destination NAT) and outbound NAT (source NAT) work exactly like you describe, but something seems off in your setup or testing methods if that doesn't work.

        As long as the traffic is actually hitting the firewall, it should do what you want.

        If you really want clients and servers to be separate and not see each other, they should be in separate subnets, such as putting servers in an isolated DMZ, then you don't need port forwards, just outbound NAT.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • B
          bofh16
          last edited by

          Seems you need a rule, which blocks traffic with src/dst same subnet via the firewall, excluding the firewall address itself. For instance, this is the case when you use P-VLANS to achieve a complete L2 separation, but you still need a rule on the default gateway (firewall) to block the traffic on the same subnet via it.

          I mean, I see nothing unusual here.

          1 Reply Last reply Reply Quote 0
          • W
            wisgard
            last edited by

            Hallo,

            NAT is is working as I described but the pure firewall rule is the problem. I can’t block incoming traffic and at the same time allow this traffic. In both cases I filter the source ip-address. I want to masquerade the source ip-address with NAT rules at the incoming interface. So I could build a firewall rule by the the ip-adress for the firewall (incoming interface) to the destination ip-address.

            I know cisco asa and for example a genua firewall could do those rules and genua is also a BSD with pf in the background.

            My ruleset is for example:
            NAT Forward:
            rdr on vmx1 inet proto tcp from 1.1.1.2 to (self) port = http -> 2.2.2.2

            FW Rule:
            pass in quick on vmx1 inet proto tcp from 1.1.1.2 to 2.2.2.2 port = http flags S/SA keep state label "USER_RULE: NAT "

            NAT Outbound:
            nat on vmx2 inet proto tcp from 1.1.1.2 to 2.2.2.2 port = http -> 2.2.2.1 port 1024:65535

            Thanks

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.