• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

NAT Reflection on the WAN interface (packet with WAN IP as source)

Scheduled Pinned Locked Moved NAT
6 Posts 2 Posters 635 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    squintgod
    last edited by squintgod Mar 29, 2020, 12:47 AM Mar 29, 2020, 12:32 AM

    Hey, I started using pfSense recently, after many years just using my ISP provided router (Technicolor TG789vac v2) and I noticed something weird.
    When I started reading about Port Forwarding and NAT Reflection, the consensus seems to be that the only way to do it, necessitates that the target system (Server) will always see the Router as the source of the packets sent by a Client in the same network, as described by the pink path in the attached image. (When using the public address)

    Schematic

    However, in all these years, I had grown used to the Client seeing the packets as originating from the Public Address, as described by the green path in the image.

    How do these consumer routers achieve this, and can this be replicated in pfSense? (or PF in general)
    This is a bit of an academic scenario, but I appreciate any help or reading suggestions. Thanks!

    TL;DR: Can pfSense hairpin nat on the wan interface?

    1 Reply Last reply Reply Quote 0
    • V
      viragomann
      last edited by Mar 29, 2020, 4:21 PM

      I can't get an idea what's this good for.
      The NAT reflection aims that response packets are addressed back to pfSense, so it can direct them back to the origin device. It doesn't matter if the packets are addressed to the WAN or LAN IP, they will go back to pfSense.

      What source address the packets get is no issue of the path they are going through pfSense, but of NAT.
      So if you really want to have them the WAN address as source, simply add an outbound NAT rule to translate properly.

      S 1 Reply Last reply Mar 29, 2020, 8:18 PM Reply Quote 0
      • S
        squintgod
        last edited by Mar 29, 2020, 8:08 PM

        This post is deleted!
        1 Reply Last reply Reply Quote 0
        • S
          squintgod @viragomann
          last edited by squintgod Mar 29, 2020, 8:19 PM Mar 29, 2020, 8:18 PM

          @viragomann Mostly academic, my previous ISP-issued router worked that way, and I had always taken it for granted.
          So it got me curious about if it is possible to replicate that behavior with pfSense or pf.
          I tried the outgoing rules, I even went and changed the /etc/inc/filter.inc file (that generates the reflection rules) to force the automatic port forward reflection rules to point to the WAN IP.

          rdr on vtnet1 proto tcp from any to WAN_IP port 22 -> SSH_SERVER
          no nat on vtnet1 proto tcp from (vtnet1) to SSH_SERVER port 22
          nat on vtnet1 proto tcp from PRIVATE_NET to SSH_SERVER port 22 -> LAN_IP port 1024:65535
          

          to

          rdr on vtnet1 proto tcp from any to WAN_IP port 22 -> SSH_SERVER
          no nat on vtnet1 proto tcp from (vtnet1) to SSH_SERVER port 22
          nat on vtnet1 proto tcp from PRIVATE_NET to SSH_SERVER port 22 -> WAN_IP port 1024:65535
          

          But it doesn't work. I'm assuming the NAT state is either not shared across interfaces or something...

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by Mar 29, 2020, 8:28 PM

            No, it's the Outbound NAT (S-NAT or masquerading) which has to be adapted.
            Firewall > NAT > Outbound

            Never tested this, cause as stated above, that makes no sense for me. However, you may give it a try.
            If your outbound NAT is in automatic mode switch into hybrid and save that setting.
            Add a rule:
            interface: LAN
            source: LAN net
            destination: LAN net or a specific IP
            translation: WAN address

            S 1 Reply Last reply Mar 29, 2020, 8:42 PM Reply Quote 0
            • S
              squintgod @viragomann
              last edited by squintgod Mar 29, 2020, 8:42 PM Mar 29, 2020, 8:42 PM

              @viragomann I think that's what NAT is on pf, DNAT is rdr (change destination ip and keep source).
              If I create an outbound rule, the resulting pf rule in /tmp/rules.debug is:

              nat on $LAN inet proto tcp from LAN_NET/16 to LAN_IP/32 port 22 -> WAN_IP/32 port 1024:65535
              

              Which doesn't work. Interestingly, if I change the mask of the translation address to WAN_IP/24, it works, but the last octet of the public ip will be wrong (it will round robin over that /24 net).
              It also works if I set the translation IP to any other IP in the WAN_NET except the actual WAN_IP.

              1 Reply Last reply Reply Quote 0
              6 out of 6
              • First post
                6/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received