NAT Outbound WAN IP X to WAN IP Y not working [solved]
-
Hi,
Running pfSense+ 21.05.1 on XG-7100-1U, and need the simplest of task done with SNAT. I have traffic coming out of the WAN interface with public Virtual IPv4 X, and I need to have them packets be sent to the internet as public IPv4 Y.
IP Y isn't configured on the system, neither as a VIP nor anything else, and must NOT be so. The traffic is reaching the destination over the Internet as expected (so not a firewall rule problem), only thing is, it's still having the IP X as the source, not Y. Both X and Y are my public IPs given to me by my ISP.
Traffic of IP X is coming from a package running on same pfSense box. I cannot use an internal/lan/127.0.0.1 to IP Y rule, because only IP X needs to be affected.
I currently have only manual NAT outbound rules set. Here's the rule I thought could tackle this:
Don't worry, those are placeholder IPs.
The other rules I have setup for SNAT are working fine, e.g. :
What am I missing? Seems this could be resolved so simply with a simple iptables rule.
Thanks for the help,
-
@sophiamarchildon said in NAT Outbound WAN IP X to WAN IP Y not working:
Don't worry, those are placeholder IPs.
At least for the internal networks there is no need for hiding them, but it make it impossible to verify the rule set.
And you should show your whole outbound NAT rule set, not only single rules. -
-
@sophiamarchildon
Is the last rule that one you're talking about?
Does it really have a public source IP. If so, for what reason?What of the translation addresses is X, what Y?
-
It's the last rule I'm talking about.
It has a public source IP because when it goes out the WAN interface, it must have a public source IP to be routable on the Internet, no? The pfSense is simply replying to the incoming request destined to that same IP. Request from clients comes to IP X, then pfSense replies as IP X, just as any IP packet exchange.
But I need it to reply as IP Y. The reasoning behind why I need this specific setup is not the question here; it's how do you do such a simple NAT rule with pfSense?
In the example given, X is 1.1.1.1, and Y is 1.1.1.2.
Thanks for your inputs,
-
@sophiamarchildon said in NAT Outbound WAN IP X to WAN IP Y not working:
It has a public source IP because when it goes out the WAN interface, it must have a public source IP to be routable on the Internet, no?
Yes, but the public source IP pfSense uses, when it is sending out a packet, is the translation address in the outbound NAT rule. The rule can be restricted to specific sources and destination though, but usually the source is inside your network and consequently a private network.
The only meaningful reason for using a public source is when you forward a traffic originally destined to you to another destination in the internet.
@sophiamarchildon said in NAT Outbound WAN IP X to WAN IP Y not working:
But I need it to reply as IP Y.
Replies cannot be controlled by outbound NAT rules. pfSense uses automatically the origin destination IP as source when replying, based on its state table.
-
Let's say someone on the internet from IP Z asks a DNS query to my pfSense's publicly open DNS resolver on public IPv4 X, the reply will emanate from the pfSense itself, with source IP X, will it not? There is no source inside my network like all the other NAT rules listed. It doesn't come from a routed/forwarded packet, right?
I want the DNS response to be sent as originating from Y instead of X to the destination Z. And I know pfSense can swap a source IP for another, because it changes the source of the outgoing packet if it comes from one the internal network (e.g. 10.0.0.0/16). So why can it not just rewrite X as Y, the same way it does 10.0.A.B to C ?
In iptables, you would do a one-liner similar to:
iptables -t nat -A POSTROUTING -o WAN1 -s X -j SNAT --to-source Y
Bam! Every single packet coming out of WAN1 with source IP X would be rewrote as source IP Y. Simple, no? Is there something super obvious I'm missing?
-
@sophiamarchildon said in NAT Outbound WAN IP X to WAN IP Y not working:
Let's say someone on the internet from IP Z asks a DNS query to my pfSense's publicly open DNS resolver on public IPv4 X, the reply will emanate from the pfSense itself, with source IP X, will it not? There is no source inside my network like all the other NAT rules listed. It doesn't come from a routed/forwarded packet, right?
I want the DNS response to be sent as originating from Y instead of X to the destination Z.If pfSense would do this, the DNS client would ignore and drop the response packet. If he is requesting X, hence he is awaiting a response from X and will ignore any other source IP.
@sophiamarchildon said in NAT Outbound WAN IP X to WAN IP Y not working:
And I know pfSense can swap a source IP for another, because it changes the source of the outgoing packet if it comes from one the internal network (e.g. 10.0.0.0/16). So why can it not just rewrite X as Y, the same way it does 10.0.A.B to C ?
Again, outbound NAT only affect outgoing connections, i.e. connections initiated inside your network, but not replies to outside initiated connections.
It's not possible to translate the source address in reply packets to any other than the origin destination address of the request packet due to the above mentioned reason.You can translate the source though, when you forward the packet to an other destination, but not reply.
@sophiamarchildon said in NAT Outbound WAN IP X to WAN IP Y not working:
iptables -t nat -A POSTROUTING -o WAN1 -s X -j SNAT --to-source Y
Bam! Every single packet coming out of WAN1 with source IP X would be rewrote as source IP Y. Simple, no? Is there something super obvious I'm missing?This is exactly what outbound NAT does. But I don't believe that iptables S-NATs reply packets.
-
@viragomann said in [NAT Outbound WAN IP X to WAN IP Y not working]
If pfSense would do this, the DNS client would ignore and drop the response packet. If he is requesting X, hence he is awaiting a response from X and will ignore any other source IP.
I know in that simple case it wouldn't work, but that's what needs to be done in my setup. It's an ugly workaround for a problem we currently have.
I think I've found my mistake. In my case, random Z is asking pfsense box Y a request, that request is DNAT'd and forwarded to the pfSense box X. Both X and Y share the same firewall states via pfSync. So I thought, as X is aware in its states of the box Y's DNAT, it would simply follow it back with the auto-SNAT; just as any other normal NAT rule.
But X doesn't take Y's DNAT into account, and instead replies directly to Z, bypassing Y, so it cannot be auto-SNAT'd back to source Y. So that's why I wanted to force the rewriting of X to Y using my own DNAT rule. It'd be nice if we could do that too.
What I need to do on box Y is to add a VIP of W, and SNAT Z to W along DNAT Y to X. Then X would reply to W which would be SNAT'd back to source Y and DNAT'd back to destination Z.
Thanks for the support @viragomann. Have a nice day!