NAT from single host
-
Hey everyone, I'm coming from Linux and I've been being beaten from pfsense. I'm all day long trying to do a simple thing, but I can't.
I have 2 interfaces, 1 lan, 1 wan.
Since I don't want all the users to access the net directly, I've choosed "Manual Outbound NAT rule generation.
(AON - Advanced Outbound NAT)". But that only gives me the option to use "Network or Any" as source. I wish I could insert a single IP. On iptables, I used to make it like this "sudo iptables -t nat -A POSTROUTING -s IPIWANT -j MASQUERADE"
Then, that choosen IP would have NAT.
I've tried to use the firewall rules, setting the ip I want in the source, any port, to wan net, any port.
I still can't make it work.
The 1:1 option also won't apply since I don't want to bind the ip to an external address.
Am I missing anything?
I don't know what else to do!
-
Not exactly sure what you mean by "I don't want all the users to access the net directly".
-
Not exactly sure what you mean by "I don't want all the users to access the net directly".
With the Automatic Outbound NAT, a user could bypass the proxy and direct access the internet. With the NAT off, if the user disable the proxy on its browser, he isn't going anywhere.
With the MASQUERADE I could disable the NAT, and let pass only the ips I wanted to (even without the proxy)
-
What proxy? Forgot to tick the transparent checkbox in Squid, or what?
-
What proxy? Forgot to tick the transparent checkbox in Squid, or what?
Squid. I don't want the Squid in transparent mode.
With the auto created nat rules, if the user disables the proxy checkbox at his browser, he's able to use the internet directly (wan). I want to choose who gets to pass through, by IP, as I used to do with iptables, based on POSTROUTING / MASQUERADE rules.
Example: Network 192.168.0.0
All traffic must pass through Squid (non transparent).
IP 192.168.0.166 has direct access to WAN (NAT), so it doesn't need to pass through Squid.
The only option I have is to NAT the entire network (iptables -t nat -A POSTROUTING -o ethX -j MASQUERADE).
I don't want a DNAT (port forwarding), I just want to select the IPs that can connect to internet directly, using the same IP I used before for example (iptables -t nat -A POSTROUTING -s 192.168.0.166 -j MASQUERADE).
-
OK, enjoy breaking your network.
-
OK, enjoy breaking your network.
There's no need to be rude. If I knew I wouldn't be asking.
-
Really. what is the point here? Just block the traffic if you don't want to let it out. Stop mucking with NAT and breaking everything else. The keyword here is ANY, not WAN net. Block 80/443 from LAN to ANY (or, NOT your proxy). No need to ever touch hybrid and god knows what other outbound NATs.