[solved] Outbound NAT with WAN DHCP IP Address

  • I have an SG-1000 arriving tomorrow and I decided to take a look at the pfsense settings ahead of time to see what needed to be set in order to get this to work, but I realized I'm not quite sure the correct settings.

    I have an embedded server with a static IP address and no gateway. I would like to make this server accessible to the larger corporate network. This server does not need any other access to the larger corporate network or the internet.

    I would like to have requests from clients on the corporate network (FTP and HTTP specifically) on the "WAN" IP routed to the server and allow it's responses to be returned to the client. I do not want to use a virtual IP as IT policies do not allow more than one MAC or IP (actually not sure which one) on a single switch port. Is it possible to set the 1:1 NAT rule to just use whatever was provided to the WAN interface via DHCP?

    I also will occasionally connect another device on the LAN side of the SG-1000 to manage pfSense, but I don't think this matters. (correct me if I'm wrong).

    I attached a diagram.

    I'm open to any and all suggestions that will achieve what I'm looking for, but I believe 1:1 NAT is the right way to do this.

    Help very much appreciated. Thanks.

  • LAYER 8 Global Moderator

    If your server has no gateway - how is it going to go anywhere?  You would have to source nat all traffic from pfsense wan to the server IP so server thinks its coming from

    Why do you need 1:1 nat?  Just port forward whatever traffic you want to send to this server and have the server answer.. If you set the servers gateway to you wouldn't have to source nat the traffic.

    To the corp lan there will only be 1 device on the network IP and mac which would be pfsense Wan IP and mac address.

    Have you ok this with the corp networking/security team?

  • Thanks for the quick reply.

    The server has no gateway because it is expected to only communicate with clients "on-link" i.e. It is an embedded device that simply can't be changed.

    I thought I needed 1:1 NAT for the exact question you raise, "You would have to source nat all traffic from pfsense wan to the server IP so server thinks its coming from". If I am mistaken, can you offer a little more guidance?

    And to your last question sigh, I spoke to 3 IT people on the phone, more emails, more calls, more voicemails. Ended up with the networking manager who said (paraphrasing) "we don't have a solution for what you need to do. you're on your own, do what you need to do and come back to us with your solution." I appreciate you asking though, as it is a fair question.

  • LAYER 8 Global Moderator

    So you would just source nat.. On your outbound nat tab and select lan and use pfsense lan as the interface and dest IP address of your server.. Now all inbound traffic to your device that you create a port forward on will look to that device like it came from pfsense address.

  • I think I understand. Just to be explicit, the rule as configured in the attachment is what you mean, right?

    Thanks for the help.

    ![NAT rule.png](/public/imported_attachments/1/NAT rule.png)
    ![NAT rule.png_thumb](/public/imported_attachments/1/NAT rule.png_thumb)

  • LAYER 8 Global Moderator

    Yeah that looks correct..  So now just port forward the traffic you want to hit… Simple sniff on pfsense lan using diag packet capture will show you if traffic is being natted to pfsense lan address.

    This is common setup for vpn, and access camera's that do not support gateway setting.  Sounds kind of like your iot device not able to do, etc.

  • Thanks and you're exactly right.

  • LAYER 8 Global Moderator

    Let us know how it turns out once you get your sg-1000..

  • Well, box came in. Part was easy and worked flawlessly, part I have to figure out.

    HTTP works great.

    FTP doesn't work. The client connects via port 21 just fine, commands and responses go back and forth between client and server. The FTP server is active only and the client issues the PORT command which includes a corporate LAN IP of the client that is not accessible to the server (since it has no gateway). So I gather I need to either configure pfsense to intercept the PORT command, change the values, and then pass it along or create some sort of FTP proxy on pfsense. Is that right? Any thoughts?

    I'm looking to see if the server can be configured to support passive, but as of right now it returns "not implemented" when the client tries.

  • LAYER 8 Global Moderator

    Where is FTP?  On your server(iot device) behind pfsense?  And your client is out on your wan?  And the server only does active?

    Your going to have a problem with that for sure… Since the server has NO gateway, and the client would be telling the server come connect to me on IP address which is a problem...

    Whatever this device is - to be honest I would get something else that supports a gateway!!!

  • FTP server is the behind the pfSense LAN

    Client is in the corporate LAN 172.16.x.x space (pfSense WAN).

    It seems the server only does active, but I'm looking into this. Device is a product we are developing. It is never intended to be accessible on a larger network when in-use, I'm just trying to cheat to make things easier here to support development.

    Am I correct that passive would solve the problem?

    Are there any other pfSense options to support this? Intercept the PORT command? FTP proxy? Other ideas?

  • LAYER 8 Global Moderator

    Passive could maybe fix the problem depending on the ftp client..  With passive the ftp server tells the client in the control channel, hey come connect to me - if it says your out of luck!!  But some clients will say that doesn't work I connected to you on 172.16.x.x I will use that and the port you gave me in the passive command.

    If this something your developing and designed to only work on same network… Why are you putting it behind a firewall to try and test it?

    I would suggest you drop ftp completely and use sftp!!  FTP should of died of 10 years ago or longer - its CRAP!!! its not secure and as you can see a PITA across firewalls and nat..

    I would also suggest your device have the ability to set a gateway so you can use it across segments.  If this designed for home use, more and more homes are segmenting their networks because they don't want untrusted iot devices on the same network as their trusted devices, etc.

  • Good to know, any suggestions to try besides passive since not sure that will work?

    The intended use is an air gapped, ~3 device network all with static IPs and directly connected via a switch. Think of it as a room level network.

    I'm trying to connect it to the larger network so developers, some local and some remote, can make changes to the device, i.e. develop, without having to physically walk over and connect to the device. I had previously hooked up a 2 NIC desktop that could have 1 NIC attached to the device and and 1 NIC connected to the corporate network. That had some problems and I was hoping this pfSense solution would be an improvement.

    The FTP is also intended for development only, it won't be in the product when released.

  • LAYER 8 Global Moderator

    Connect a computer or few computers to this 10. network you have behind pfsense and let users access them.. Then from there they can ftp all they want since they would be on the 10 network and local to this iot device.

  • That is what I had done. There had been some annoyances, I was hoping pfSense would be an improvement.

  • LAYER 8 Global Moderator

    It works fine for web access and would also work fine for say ssh/sftp but with FTP how it uses control channel and data channel its going to be a problem with out client/server being able to handle the ability to talk off the local network or even in passive the server being able to give out the specific NAT IP and set ports it will use.

    If your ftp server running on the device could do passive and hand out the 172. address and use specific ports like 5000-6000 for the passive range then you could get it to work fine.

  • I'm marking this as solved since it had drifted into an FTP specific question.

    I'm looking into if the device can support passive, not sure yet.

    I did download the FTP Proxy package and a quick look makes it seem like it is not suitable since what I would really need is a transparent forwarding FTP proxy. (anyone correct me if I'm wrong).


  • LAYER 8 Global Moderator

    The ftp package is for clients behind pfsense to go to active ftp servers on the internet.. It doesn't work with active servers behind pfsense, especially ones that would have not way to get to the clients IP anyway since it has no gateway.

    What that package does is look in the control channel and see the port the client is telling the server to connect to, and then forwarding that port to the client.

Log in to reply