migrating NAT rules from Sonicwall to PfSense, how to NAT an origin/destination address

  • Hi all,

    I've been tasked with migrating a Sonicwall firewall to a PfSense for a SMB.
    I am a bit confused by how to migrate certain NAT rules.

    I have the following Sonicwall NAT rule (this is from an excel file I made, it's not from the Sonicwall interface, all the field names are correct):
    Sonicwall NAT rule

    The way I read that rule what it does is for a bunch of mail domains they send emails through it translates them to their ISP smtp mail server address, that's what the alias "alias for a single mail server" is.
    It also translates the origin address to the "X1 IP", which is the IP address on the Sonicwall interface connected to that ISP router. (they have two ISP)

    At first I thought I could just make an outbound NAT rule on pfsense and put in the alias for the single mail server in the "Translation" field, but after reading the pfsense documentation on NAT I realized I'm mistaken.

    I need to translate a bunch of destination FQDN/IP to a single one given a match on a port (the alias "SMTP (Send E-mail)" is for tcp 25) and at the same time I need to translate the origin IP to route those connections through a certain WAN interface on the pfsense.

    how would I go about doing that on pfsense?

    do know that I'm very new in this field, this is my first IT job altough IT has been a passion of mine for 15years, I haven't received any formal training, I do have senior IT staff at my firm to ask to but they're very much swamped and I somehow need to write these rules, they will be checked before deploying the pfsense box but I do want to make a good job and since we're talking about 110 NAT rules (and 415 firewall rules) I really don't want to misunderstand the logic I need to apply to get what we need and have to redo it all over again.

    thanks for the help folks!

  • I'm not familiar with Sonicwall, however, as I understand that rule, it defines an S-NAT and D-NAT rule in only one line.
    In pfSense you have to split these roles. Add a NAT portforwarding rule for translating the destination address to the proper incoming interface. And also add an Outbound NAT rule for tranlating the source address to the outgoing interface.

  • @viragomann yes, that is what that rule is doing on the sonicwall, s-nat and d-nat on the same rule while also matching a port/service.

    as you suggested the way to do that on pfsense is to use both port forward and outbound nat to achieve the same.

    the thing is: there's hundreds of those rules, and they will need to be maintained in the future, effectively doubling each sonicwall rule while migrating them to pfsense will make maintenance much harder.

    My IT manager suggested looking at using 1:1 NAT rules and dealing with service/port matching in a different ways, maybe something can be done to effectively do that using firewall rules or policy routing.
    I'm in the process of exploring those options on a test deployment in our lab, any suggestion towards that would be greatly appreciated.

Log in to reply