Can I hide/masquerade incoming IP?

  • I have an internal client with the following situation:

    1. Client has two interfaces: management (eth0) and data (eth1)
    2. Client routes all IP addresses on management network ( to eth0
    3. Client default route is to a gateway ( on data network (eth1)
    4. The gateway on the management network is

    The problem is I want to ssh to the client via eth0. I have a port forwarding rule currently that lets me ssh from the outside. If I ssh from the inside on the management network then it works fine. But I can't ssh from outside because the client is set to route traffic to eth1 gateway by default. I can create a route for a specific external network but this is no good because ssh comes from multiple networks.

    My questions are as follows:

    1. Is it possible for me to hide the IP of incoming connections so that it looks like it is coming from an internal IP on the management network, for example, the management gateway (
    2. If not, is there a better way of doing what I am trying to do?


  • LAYER 8 Netgate

    What is the IP address you want to ssh from?

    What is the address you want to ssh to.

    You can almost certainly use outbound NAT to do what you want, but I can't make out exactly what that is.

  • The internal IP that I am wanting to ssh to is the IP of the client on the management interface, which is

    The address I want to ssh from could be anything. It is an external IP.

  • LAYER 8 Netgate

    Then yeah. Set outbound NAT on the eth0 interface to a NAT address of eth0_address.

    You can limit the rule to only destination address port 22 if you like.

    All connections to would then appear to be sourced from

    NAT port forwards translate the destination. NAT Outbound translates the source.

    You can add a free address on as a Virtual IP address on eth0 and NAT the source address to that instead if you like.

  • @derelict Interesting. I thought that outbound NAT only dealt with traffic going out of the interface, not coming in.

    Here is what I tried:
    Interface: WAN
    Source: any
    Source Port: tcp/*
    Destination Port: tcp/22
    NAT Address:
    NAT Port: *
    Static Port: check

    This doesn't appear to be working. When I attempt to ssh into the machine it is still using my client's IP address. Am I doing something wrong?

  • LAYER 8 Netgate

    No idea what interface is what. Draw a network topology diagram.

  • Thanks for your help, here is a diagram.0_1532721752792_net_diag.png
    Traffic is routed to and from the internet through, the default gateway for most of the devices on my network. I realize that this diagram does not include vlans. The subnet is for the management vlan. The subnet is for the data vlan.

    For live traffic tests I want to route all traffic (except ssh) through the data vlan so that it can be scanned by the transparent firewall. So it goes through the firewall, to the gateway's data interface and then forwarded to through the management interface to the Internet.

    However for SSH I do not want this to go through the firewall at all, I want it to go through the gateway (

    So here is what my routing table looks like on the client:

    1. default gateway is to over eth1 (data interface)
    2. is over eth0 (management interface)
    3. is over eth1 (data interface)

    The issue I am having is that it is still trying to route ssh traffic through even though I created the outbound NAT rule above. Upon further investigation, the source IP for SSH traffic is not being translated at all; when I do a tcpdump on the client I can see it is still my original IP (I will call it What I was hoping is that I could translate to so that the client would think this is the originating IP, and then route it to the management network, where the gateway would see it and know that it is intended for and forward it accordingly.

    I have researched other ways of doing what I want to do, including marking ssh connections and creating a table and route for those marked connections, but that did not work for me either.

    Any help would be appreciated.

  • LAYER 8 Netgate

    How do you have two interfaces both on

    That looks like an asymmetric nightmare.

  • @derelict Ooops my mistake. The server+gateway has the IP Only the pfsense gateway has Sorry for the typo.

  • LAYER 8 Netgate

    Outbound NAT does not route traffic.

    It only determines what NAT happens to traffic flowing out that interface when it is already routed that way.

    @jusschwa said in Can I hide/masquerade incoming IP?:

    So here is what my routing table looks like on the client:

    1. default gateway is to over eth1 (data interface)
    2. is over eth0 (management interface)
    3. is over eth1 (data interface)

    What is this client?

    If that is its routing table and it is routing any traffic destined for to it is wrong.

    Unless there is policy routing or something present outside the routing table you provided there routing that way.

Log in to reply