NAT public source address > firewall LAN address (isolated server, with drawings



  • I am struggling about how to achieve the following on PfSense.
    I have 1 public IP address on my external interface of my PFSense, on my LAN I have a server running.

    A regular Port forward is straight forward on the PFSense, knowing how to achieve this.

    Next thing I want is to change the Public Source Address (client) into Source address of the LAN address on the Firewall:
    The response of the server goes back to the LAN address of the firewall (it will never sees the Public IP)

    Source        Destination  |    Source            Destination
    212.0.1.2    97.0.1.2        |    192.168.0.1    192.168.0.10

    212.0.1.2 = client
    97.0.1.2 = public ip firewall
    192.168.0.1 = LAN ip firewall
    192.168.0.10 = server

    I have achieved such configuration on other type of firewalls.
    What do you achieve here… simple, a default gateway is no longer needed on the Server, spyware, etc, etc, etc, can't never anymore connect to the Internet. You get an isolated server



  • Why would you want to do that?  The public source address is needed for the local computer to work with the remote site.

    Let's not forget here, NAT is a hack to relieve the IPv4 address shortage.  It serves no other useful purpose and the sooner we're through with it, the better.



  • Please, no offense, I seeking for an answer and not preacher, thank you (an arithmetician you also don't ask why, it is cause you can, don't limit yourself…..).
    Re-read my text, I gave my reason.

    For you information, I have done this on a Netscreen (Juniper) and possible on Check Point firewall.
    To me it seems i have to create multiple NAT rules to make this happen + adding routing, not sure, it can be i am overlooking something.


  • Netgate

    Outbound NAT on the LAN interface will accomplish that.

    Firewall > NAT, Outbound - Switch to Hybrid outbound NAT

    Add a rule:

    Interface: LAN
    Source: 212.0.1.2/32
    Destination: 192.168.0.10/32
    NAT address: Interface address



  • @Derelict:

    Outbound NAT on the LAN interface will accomplish that.

    Firewall > NAT, Outbound - Switch to Hybrid outbound NAT

    Add a rule:

    Interface: LAN
    Source: 212.0.1.2/32
    Destination: 192.168.0.10/32
    NAT address: Interface address

    This is working flawlessly (the log also says so). Thank you for bringing me a better understanding of PFSense.
    (ofcourse the source, 212.0.1.2 is set on "any")

    There is another use case for this such setup.

    On my Windows Server (It could also have been CentOS, s specific NVR runs on Windows only), I have running a VPN Client (OpenVPN) towards a VPN service. Default Gateway is set to the VPN Service by OpenVPN (that is actually perfect). Having running services on the Server (NVR), it would not be accessible anymore from the Internet via PFSense without the Outbound NAT solution on the LAN interface. Because Local LAN traffic is never routed to a Default gateway, in this case the Gateway of the VPN service ;)

    What kind of traffic has to go over the VPN? That is up to you :)

    edit: for other readers, you still have to configure NAT by using the "Port Forward" method + adding the outbound configuration.

    edit: why not, a drawing