NAT Port Forward vs Firewall Rule



  • Could someone help me improve my understanding of PfSense?

    I have a device on my network that has its DNS servers hard coded so I use a NAT port forward rule to catch everything it sends on port 53 and redirect it to the DNS server of my choice.  I copied the setup from one of the posts in this forum.  Is there any reason why I should use the NAT rule, can I just achieve the same thing with a standalone Firewall rule and dispense the linked NAT rule?

    Peter


  • LAYER 8 Global Moderator

    how would your firewall rule redirect traffic to say 8.8.8.8 on udp to the IP address your redirecting too..



  • NAT stands for "Network Address Translation". In PF (and pfSense) this process is totally separate from the packet filtering process. The packet filtering process does just filtering as the name suggests, if you want to do any sort of address translation you have to use the NAT engine of PF and its RDR and NAT rules.



  • Ah, yes!

    I thought the NAT linked firewall rule was just the same as any other firewall rule but I now see that the "destination" section of the NAT rule is the destination for the redirected packet whereas the destination for a normal firewall rule just selects the packets for Pass/Reject.  Correct?

    Peter


  • LAYER 8 Netgate

    The complement each other / work in tandem.

    You can forward the port but without the firewall rule no traffic will pass.

    You can add the firewall rule but without the port forward there will be no inbound traffic for the destination address (usually an RFC1918 address).


Log in to reply