Source NAT at the incoming interface

  • Hello pfSense community,

    at the moment I notice bug or missing feature in the NAT options. I would like to do locally NAT. In my special environment my source and destination systems should not know each other. So I implement NAT in my local network. I always do three steps for nating and masquerade.

    I create a NAT Forward rule with the original source ip with the destination This Firewall and redirect to the future destination ip and do a filter rule association on the incoming interface.  Afterwards I create an NAT Outbound to masquerade the original source ip address on the outgoing interface. So my automatic firewall rule matches the original source and original destination ip address.
    Everything looks to be working. The client could communicate via NAT with the server by access the Firewall IP in the same subnet (This Firewall) without a route or default gateway. The server doesn’t know the source for answering the request. Now I add a route or default gateway on the client to the server, the client could also communicate with the server. The firewall rule (NAT - filter rule association) is matching. But the client should not be able to communicate with the server by a route or gateway. Only NAT should be work.

    Is there a way to do Source NAT in the NAT Forward ruleset / incoming interface? So there is a redirect and a masquerade of the original source ip?



  • Rebel Alliance Developer Netgate

    Port forwards (destination NAT) and outbound NAT (source NAT) work exactly like you describe, but something seems off in your setup or testing methods if that doesn't work.

    As long as the traffic is actually hitting the firewall, it should do what you want.

    If you really want clients and servers to be separate and not see each other, they should be in separate subnets, such as putting servers in an isolated DMZ, then you don't need port forwards, just outbound NAT.

  • Seems you need a rule, which blocks traffic with src/dst same subnet via the firewall, excluding the firewall address itself. For instance, this is the case when you use P-VLANS to achieve a complete L2 separation, but you still need a rule on the default gateway (firewall) to block the traffic on the same subnet via it.

    I mean, I see nothing unusual here.

  • Hallo,

    NAT is is working as I described but the pure firewall rule is the problem. I can’t block incoming traffic and at the same time allow this traffic. In both cases I filter the source ip-address. I want to masquerade the source ip-address with NAT rules at the incoming interface. So I could build a firewall rule by the the ip-adress for the firewall (incoming interface) to the destination ip-address.

    I know cisco asa and for example a genua firewall could do those rules and genua is also a BSD with pf in the background.

    My ruleset is for example:
    NAT Forward:
    rdr on vmx1 inet proto tcp from to (self) port = http ->

    FW Rule:
    pass in quick on vmx1 inet proto tcp from to port = http flags S/SA keep state label "USER_RULE: NAT "

    NAT Outbound:
    nat on vmx2 inet proto tcp from to port = http -> port 1024:65535