Is changing the localhost (127.0.0.1) gateway possible?



  • Hi guys, I have a question out of curiosity more than anything. In the manual/advanced NAT tab of my firewall I have a default rule for localhost (127.0.0.1) that shows localhost traffic is routed out the WAN gateway by default. I am not currently having any issues with this but I was wondering if it is possible to change the localhost gateway? Localhost is not listed as an interface so policy routing is not possible via the interfaces tab or the floating rules tab. I'm aware floating rules can filter traffic from the firewall itself but can they route traffic from it?



  • It uses the default gateway.
    You may set another gateway as default if you want.


  • Rebel Alliance Developer Netgate

    Outbound NAT does not influence where traffic goes. It only defines what happens to traffic which happens to exit out those interfaces.

    So those rules do not tell traffic from localhost to exit WAN
    They say "If traffic from localhost happens to exit WAN, then apply this translation"

    Routing is controlled by gateways, under System > Routing.



  • Hi, yes I'm aware of this. I just noticed that the localhost NAT rule allows traffic out the WAN interface by default. I just wondered if there was a way to route the traffic out a different interface and change/add a the NAT rule accordingly.


  • Rebel Alliance Developer Netgate

    NAT rules do not allow traffic. See my previous reply.

    If you want to route traffic out another interface, then use gateways/routing to do it.

    If the other interface is properly configured as a WAN (that is, has a gateway set on its interface configuration), then automatic outbound NAT should setup rules for it automatically. You should not need to touch anything in outbound NAT if it's on automatic. If you are on manual outbound NAT, then you may need to copy the existing localhost rules to the new WAN. But in most cases that's not necessary.

    Also traffic from the firewall itself is not typically sourced from "localhost". That rule is there to ensure that should it happen to be, that it gets NAT applied.



  • @jimp I read your previous reply. I'm aware NAT rules can't direct traffic in any way shape or form. What I meant by allow was that if there is no translation in place for the localhost interface then traffic cannot leave that interface. My question was never about infliuencing traffic using NAT rules. I just made my assumption that the pfSense routes localhost traffic out the WAN because it had a default NAT rule for the localhost IP address that showed that localhost traffic happens to exit WAN. What I asked was "I'm aware floating rules can filter traffic from the firewall itself but can they route traffic from it?" I'm not sure where all this routing traffic using NAT rules has come from.


  • Rebel Alliance Developer Netgate

    What I meant by allow was that if there is no translation in place for the localhost interface then traffic cannot leave that interface.

    But it can. It just won't have its source translated.

    I just made my assumption that the pfSense routes localhost traffic out the WAN because it had a default NAT rule for the localhost IP address that showed that localhost traffic happens to exit WAN.

    Yes, and that's what I was saying isn't right.

    I'm aware floating rules can filter traffic from the firewall itself but can they route traffic from it?

    Policy routing rules won't have a useful effect on traffic from the firewall itself, hence my saying you need to control traffic using gateways and routes under System > Routing.



  • So I would be wrong to assume that pfSense by default routes locahost traffic (if any) out the WAN after noticing the default NAT rule for localhost in place? Sorry I'm just completely confused here. Why would there be such a rule in place if localhost traffic doesnt leave via that gateway by default?

    But if I deleted the NAT rule on my LAN interface I would not have access to the internet. Does this mean traffic still leaves the WAN interface regardless if there is a NAT rule in place, just that it has no route back?

    I'm not sure if it comes across like I'm trying to argue with you - I'm not. You are a considerably more knowledgeable on this, I'm just trying to learn.


  • Rebel Alliance Developer Netgate

    @Jimbo123 said in Is changing the localhost (127.0.0.1) gateway possible?:

    So I would be wrong to assume that pfSense by default routes locahost traffic (if any) out the WAN after noticing the default NAT rule for localhost in place? Sorry I'm just completely confused here. Why would there be such a rule in place if localhost traffic doesnt leave via that gateway by default?

    You are drawing incorrect assumptions about NAT and routing here. Just because a NAT rule exists doesn't mean any traffic would ever hit it. It's there in case it does, but one doesn't necessarily imply the other. You could have NAT rules for every interface if you like, but they may never be utilized. If you want to know how traffic is routed, the only way to know that is via routing.

    So you may have reached a correct conclusion by accident.

    But if I deleted the NAT rule on my LAN interface I would not have access to the internet.

    The NAT rule for the LAN network(s), not on the LAN interface, but (probably) correct.

    Does this mean traffic still leaves the WAN interface regardless if there is a NAT rule in place, just that it has no route back?

    That is up to your upstream. The traffic exits the WAN no matter what, unless your LAN or floating rules block it. In most cases the traffic would be dropped since the upstream doesn't know about your LAN subnets. If the upstream router was setup with its own NAT and routing back, then it would still function. People use pfSense in this kind of scenario as an internal router with NAT disabled all the time.

    I'm not sure if it comes across like I'm trying to argue with you - I'm not. You are a considerably more knowledgeable on this, I'm just trying to learn.

    Sure, and I'm just trying to inform. It's a common misconception that NAT has any influence here, getting over that hurdle early is best.



  • @jimp "It's a common misconception that NAT has any influence here, getting over that hurdle early is best." I'm glad you brought it up, I've got the answer to my original question and I've learned how NAT actually works which was something I thought I already knew. Thanks @jimp


Log in to reply