Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT Outbound WAN IP X to WAN IP Y not working [solved]

    Scheduled Pinned Locked Moved NAT
    9 Posts 2 Posters 758 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SophiaMarchildon
      last edited by stephenw10

      Hi,

      Running pfSense+ 21.05.1 on XG-7100-1U, and need the simplest of task done with SNAT. I have traffic coming out of the WAN interface with public Virtual IPv4 X, and I need to have them packets be sent to the internet as public IPv4 Y.

      IP Y isn't configured on the system, neither as a VIP nor anything else, and must NOT be so. The traffic is reaching the destination over the Internet as expected (so not a firewall rule problem), only thing is, it's still having the IP X as the source, not Y. Both X and Y are my public IPs given to me by my ISP.

      Traffic of IP X is coming from a package running on same pfSense box. I cannot use an internal/lan/127.0.0.1 to IP Y rule, because only IP X needs to be affected.

      I currently have only manual NAT outbound rules set. Here's the rule I thought could tackle this:

      NAT Rule

      Don't worry, those are placeholder IPs.

      The other rules I have setup for SNAT are working fine, e.g. :

      Working NAT Rule

      What am I missing? Seems this could be resolved so simply with a simple iptables rule.

      Thanks for the help,

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @SophiaMarchildon
        last edited by

        @sophiamarchildon said in NAT Outbound WAN IP X to WAN IP Y not working:

        Don't worry, those are placeholder IPs.

        At least for the internal networks there is no need for hiding them, but it make it impossible to verify the rule set.
        And you should show your whole outbound NAT rule set, not only single rules.

        S 1 Reply Last reply Reply Quote 1
        • S
          SophiaMarchildon @viragomann
          last edited by

          @viragomann

          Here you go:

          Complete SNAT Rules

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @SophiaMarchildon
            last edited by

            @sophiamarchildon
            Is the last rule that one you're talking about?
            Does it really have a public source IP. If so, for what reason?

            What of the translation addresses is X, what Y?

            S 1 Reply Last reply Reply Quote 0
            • S
              SophiaMarchildon @viragomann
              last edited by

              @viragomann

              It's the last rule I'm talking about.

              It has a public source IP because when it goes out the WAN interface, it must have a public source IP to be routable on the Internet, no? The pfSense is simply replying to the incoming request destined to that same IP. Request from clients comes to IP X, then pfSense replies as IP X, just as any IP packet exchange.

              But I need it to reply as IP Y. The reasoning behind why I need this specific setup is not the question here; it's how do you do such a simple NAT rule with pfSense?

              In the example given, X is 1.1.1.1, and Y is 1.1.1.2.

              Thanks for your inputs,

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @SophiaMarchildon
                last edited by

                @sophiamarchildon said in NAT Outbound WAN IP X to WAN IP Y not working:

                It has a public source IP because when it goes out the WAN interface, it must have a public source IP to be routable on the Internet, no?

                Yes, but the public source IP pfSense uses, when it is sending out a packet, is the translation address in the outbound NAT rule. The rule can be restricted to specific sources and destination though, but usually the source is inside your network and consequently a private network.

                The only meaningful reason for using a public source is when you forward a traffic originally destined to you to another destination in the internet.

                @sophiamarchildon said in NAT Outbound WAN IP X to WAN IP Y not working:

                But I need it to reply as IP Y.

                Replies cannot be controlled by outbound NAT rules. pfSense uses automatically the origin destination IP as source when replying, based on its state table.

                S 1 Reply Last reply Reply Quote 0
                • S
                  SophiaMarchildon @viragomann
                  last edited by

                  @viragomann

                  Let's say someone on the internet from IP Z asks a DNS query to my pfSense's publicly open DNS resolver on public IPv4 X, the reply will emanate from the pfSense itself, with source IP X, will it not? There is no source inside my network like all the other NAT rules listed. It doesn't come from a routed/forwarded packet, right?

                  I want the DNS response to be sent as originating from Y instead of X to the destination Z. And I know pfSense can swap a source IP for another, because it changes the source of the outgoing packet if it comes from one the internal network (e.g. 10.0.0.0/16). So why can it not just rewrite X as Y, the same way it does 10.0.A.B to C ?

                  In iptables, you would do a one-liner similar to:

                  iptables -t nat -A POSTROUTING -o WAN1 -s X -j SNAT --to-source Y

                  Bam! Every single packet coming out of WAN1 with source IP X would be rewrote as source IP Y. Simple, no? Is there something super obvious I'm missing?

                  V 1 Reply Last reply Reply Quote 0
                  • V
                    viragomann @SophiaMarchildon
                    last edited by

                    @sophiamarchildon said in NAT Outbound WAN IP X to WAN IP Y not working:

                    Let's say someone on the internet from IP Z asks a DNS query to my pfSense's publicly open DNS resolver on public IPv4 X, the reply will emanate from the pfSense itself, with source IP X, will it not? There is no source inside my network like all the other NAT rules listed. It doesn't come from a routed/forwarded packet, right?
                    I want the DNS response to be sent as originating from Y instead of X to the destination Z.

                    If pfSense would do this, the DNS client would ignore and drop the response packet. If he is requesting X, hence he is awaiting a response from X and will ignore any other source IP.

                    @sophiamarchildon said in NAT Outbound WAN IP X to WAN IP Y not working:

                    And I know pfSense can swap a source IP for another, because it changes the source of the outgoing packet if it comes from one the internal network (e.g. 10.0.0.0/16). So why can it not just rewrite X as Y, the same way it does 10.0.A.B to C ?

                    Again, outbound NAT only affect outgoing connections, i.e. connections initiated inside your network, but not replies to outside initiated connections.
                    It's not possible to translate the source address in reply packets to any other than the origin destination address of the request packet due to the above mentioned reason.

                    You can translate the source though, when you forward the packet to an other destination, but not reply.

                    @sophiamarchildon said in NAT Outbound WAN IP X to WAN IP Y not working:

                    iptables -t nat -A POSTROUTING -o WAN1 -s X -j SNAT --to-source Y
                    Bam! Every single packet coming out of WAN1 with source IP X would be rewrote as source IP Y. Simple, no? Is there something super obvious I'm missing?

                    This is exactly what outbound NAT does. But I don't believe that iptables S-NATs reply packets.

                    S 1 Reply Last reply Reply Quote 1
                    • S
                      SophiaMarchildon @viragomann
                      last edited by

                      @viragomann said in [NAT Outbound WAN IP X to WAN IP Y not working]

                      If pfSense would do this, the DNS client would ignore and drop the response packet. If he is requesting X, hence he is awaiting a response from X and will ignore any other source IP.

                      I know in that simple case it wouldn't work, but that's what needs to be done in my setup. It's an ugly workaround for a problem we currently have.

                      I think I've found my mistake. In my case, random Z is asking pfsense box Y a request, that request is DNAT'd and forwarded to the pfSense box X. Both X and Y share the same firewall states via pfSync. So I thought, as X is aware in its states of the box Y's DNAT, it would simply follow it back with the auto-SNAT; just as any other normal NAT rule.

                      But X doesn't take Y's DNAT into account, and instead replies directly to Z, bypassing Y, so it cannot be auto-SNAT'd back to source Y. So that's why I wanted to force the rewriting of X to Y using my own DNAT rule. It'd be nice if we could do that too.

                      What I need to do on box Y is to add a VIP of W, and SNAT Z to W along DNAT Y to X. Then X would reply to W which would be SNAT'd back to source Y and DNAT'd back to destination Z.

                      Thanks for the support @viragomann. Have a nice day!

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.