Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT public source address > firewall LAN address (isolated server, with drawings

    Scheduled Pinned Locked Moved NAT
    5 Posts 3 Posters 746 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sokolum
      last edited by

      I am struggling about how to achieve the following on PfSense.
      I have 1 public IP address on my external interface of my PFSense, on my LAN I have a server running.

      A regular Port forward is straight forward on the PFSense, knowing how to achieve this.

      Next thing I want is to change the Public Source Address (client) into Source address of the LAN address on the Firewall:
      The response of the server goes back to the LAN address of the firewall (it will never sees the Public IP)

      Source        Destination  |    Source            Destination
      212.0.1.2    97.0.1.2        |    192.168.0.1    192.168.0.10

      212.0.1.2 = client
      97.0.1.2 = public ip firewall
      192.168.0.1 = LAN ip firewall
      192.168.0.10 = server

      I have achieved such configuration on other type of firewalls.
      What do you achieve here… simple, a default gateway is no longer needed on the Server, spyware, etc, etc, etc, can't never anymore connect to the Internet. You get an isolated server

      1 Reply Last reply Reply Quote 0
      • JKnottJ
        JKnott
        last edited by

        Why would you want to do that?  The public source address is needed for the local computer to work with the remote site.

        Let's not forget here, NAT is a hack to relieve the IPv4 address shortage.  It serves no other useful purpose and the sooner we're through with it, the better.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • S
          sokolum
          last edited by

          Please, no offense, I seeking for an answer and not preacher, thank you (an arithmetician you also don't ask why, it is cause you can, don't limit yourself…..).
          Re-read my text, I gave my reason.

          For you information, I have done this on a Netscreen (Juniper) and possible on Check Point firewall.
          To me it seems i have to create multiple NAT rules to make this happen + adding routing, not sure, it can be i am overlooking something.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Outbound NAT on the LAN interface will accomplish that.

            Firewall > NAT, Outbound - Switch to Hybrid outbound NAT

            Add a rule:

            Interface: LAN
            Source: 212.0.1.2/32
            Destination: 192.168.0.10/32
            NAT address: Interface address

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • S
              sokolum
              last edited by

              @Derelict:

              Outbound NAT on the LAN interface will accomplish that.

              Firewall > NAT, Outbound - Switch to Hybrid outbound NAT

              Add a rule:

              Interface: LAN
              Source: 212.0.1.2/32
              Destination: 192.168.0.10/32
              NAT address: Interface address

              This is working flawlessly (the log also says so). Thank you for bringing me a better understanding of PFSense.
              (ofcourse the source, 212.0.1.2 is set on "any")

              There is another use case for this such setup.

              On my Windows Server (It could also have been CentOS, s specific NVR runs on Windows only), I have running a VPN Client (OpenVPN) towards a VPN service. Default Gateway is set to the VPN Service by OpenVPN (that is actually perfect). Having running services on the Server (NVR), it would not be accessible anymore from the Internet via PFSense without the Outbound NAT solution on the LAN interface. Because Local LAN traffic is never routed to a Default gateway, in this case the Gateway of the VPN service ;)

              What kind of traffic has to go over the VPN? That is up to you :)

              edit: for other readers, you still have to configure NAT by using the "Port Forward" method + adding the outbound configuration.

              edit: why not, a drawing

              Drawing2.jpg_thumb
              Drawing2.jpg
              Drawing1.jpg
              Drawing1.jpg_thumb

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.