Replicating a Sonicwall NAT rule on PFSense


  • Hi all,

    I'm relatively new to PFSense, but have somehow successfully managed to deploy about twelve of them over the past couple of months without getting myself into trouble… Until now!

    I just replaced a client's SonicWALL with PFSense, and all is working well except one item: Their Shoretel phone app on the LAN side won't communicate with the shoretel server which is on OPT1.

    I've spent a few hours trying to decipher this without success, so I'm reaching out to the pros!

    Here is the lay of the land:
    LAN: 172.17.10.0/24
    OPT1: 192.168.10.0/24

    OPT1 is connected to a switch that is part of it's own environment managed by the phone vendor - I have no access rights to the router or switch. For clarification, the Shoretel server is configured as 192.168.10.10/24, GW: 192.168.10.1

    I have tried creating rules that allow all traffic to pass between interfaces to no avail.

    When I put the PFSense in, the Shoretel client software on the LAN side yields a message "cannot communicate with Shoretel server". If I swap the Sonicwall back in, the client resumes connectivity.

    FYI, I have wiped/reinstalled PFSense on the device. WAN connectivity is great. Everything else seems to be working great.

    I think I have the key, however - I just don't know how to translate it. I found a NAT rule on the Sonicwall called "Magic Nat!". I captured the screenshot and have shared it as Magic NAT.JPG

    In the Sonicwall NAT rule image, X2 Subnet/IP refers to the Shoretel subnet/IP.

    Please help! :)

    Thanks a million in advance

    ![Shoretel Config.jpg](/public/imported_attachments/1/Shoretel Config.jpg)
    ![Shoretel Config.jpg_thumb](/public/imported_attachments/1/Shoretel Config.jpg_thumb)
    ![Magic NAT.JPG](/public/imported_attachments/1/Magic NAT.JPG)
    ![Magic NAT.JPG_thumb](/public/imported_attachments/1/Magic NAT.JPG_thumb)

  • LAYER 8 Netgate

    That looks like it is probably an outbound NAT rule on the Shoretel (X2) interface:

    Firewall> NAT, Outbound

    If Automatic, enable Hybrid mode and save.

    Interface: Shoretel/X2/Whatever
    Protocol: any
    Source: Network, LAN network subnet/mask
    Destination:  Network, Shoretel/X2/Whatever network subnet/mask
    Translation Address: Interface address

    Essentially means that the shoretel network has no connectivity outside its local subnet so you want all connections to that network to appear to come from something on that subnet. Interface address in that case.

    Nothing magic about it. Just source address translation.


  • Yeah! Magic or not, it worked immediately!! :)

    I'm super grateful for your quick help, Derelict!