Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT from single host

    Scheduled Pinned Locked Moved NAT
    8 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      do1984
      last edited by

      Hey everyone, I'm coming from Linux and I've been being beaten from pfsense. I'm all day long trying to do a simple thing, but I can't.
      I have 2 interfaces, 1 lan, 1 wan.
      Since I don't want all the users to access the net directly, I've choosed "Manual Outbound NAT rule generation.
      (AON - Advanced Outbound NAT)". But that only gives me the option to use "Network or Any" as source. I wish I could insert a single IP. On iptables, I used to make it like this "sudo iptables -t nat -A POSTROUTING -s IPIWANT -j MASQUERADE"
      Then, that choosen IP would have NAT.
      I've tried to use the firewall rules, setting the ip I want in the source, any port, to wan net, any port.
      I still can't make it work.
      The 1:1 option also won't apply since I don't want to bind the ip to an external address.
      Am I missing anything?
      I don't know what else to do!

      ![Screen Shot 2017-01-05 at 4.29.08 PM.png](/public/imported_attachments/1/Screen Shot 2017-01-05 at 4.29.08 PM.png)
      ![Screen Shot 2017-01-05 at 4.29.08 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-01-05 at 4.29.08 PM.png_thumb)

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        Not exactly sure what you mean by "I don't want all the users to access the net directly".

        1 Reply Last reply Reply Quote 0
        • D
          do1984
          last edited by

          @doktornotor:

          Not exactly sure what you mean by "I don't want all the users to access the net directly".

          With the Automatic Outbound NAT, a user could bypass the proxy and direct access the internet. With the NAT off, if the user disable the proxy on its browser, he isn't going anywhere.
          With the MASQUERADE I could disable the NAT, and let pass only the ips I wanted to (even without the proxy)

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned
            last edited by

            What proxy? Forgot to tick the transparent checkbox in Squid, or what?

            1 Reply Last reply Reply Quote 0
            • D
              do1984
              last edited by

              @doktornotor:

              What proxy? Forgot to tick the transparent checkbox in Squid, or what?

              Squid. I don't want the Squid in transparent mode.
              With the auto created nat rules, if the user disables the proxy checkbox at his browser, he's able to use the internet directly (wan). I want to choose who gets to pass through, by IP, as I used to do with iptables, based on POSTROUTING / MASQUERADE rules.
              Example: Network 192.168.0.0
              All traffic must pass through Squid (non transparent).
              IP 192.168.0.166 has direct access to WAN (NAT), so it doesn't need to pass through Squid.
              The only option I have is to NAT the entire network (iptables -t nat -A POSTROUTING -o ethX -j MASQUERADE).
              I don't want a DNAT (port forwarding), I just want to select the IPs that can connect to internet directly, using the same IP I used before for example (iptables -t nat -A POSTROUTING -s 192.168.0.166 -j MASQUERADE).

              1 Reply Last reply Reply Quote 0
              • D
                doktornotor Banned
                last edited by

                OK, enjoy breaking your network.

                1 Reply Last reply Reply Quote 0
                • D
                  do1984
                  last edited by

                  @doktornotor:

                  OK, enjoy breaking your network.

                  There's no need to be rude. If I knew I wouldn't be asking.

                  1 Reply Last reply Reply Quote 0
                  • D
                    doktornotor Banned
                    last edited by

                    Really. what is the point here? Just block the traffic if you don't want to let it out. Stop mucking with NAT and breaking everything else. The keyword here is ANY, not WAN net. Block 80/443 from LAN to ANY (or, NOT your proxy). No need to ever touch hybrid and god knows what other outbound NATs.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.