DNAT confusion
-
Hello everyone,
New to PFSense. Please bear with me.
I have a piece of software that only communicates on one port [4172]. This piece of software is running on several machines on NetworkA. NetworkA is behind a firewall that has SNAT rules (that have been tested and shown to work) that redirect traffic from NetworkA's WAN on ports 6666-6670 to the appropriate machine's port 4172 inside NetworkA.
I'm currently inside NetworkB, behind a pfsense firewall, attempting to redirect packets destined to [ficticious ip address] 1.1.1.1 to NetworkA's public IP, at port 6666.
Using a different openWRT firewall I was able to get this to work using the following rules:
iptables -t nat -A PREROUTING -p tcp -s 0.0.0.0/0 -d 1.1.1.1 --dport 4172 -j DNAT --to [**NetworkA Public IP**]:6666 iptables -t nat -A PREROUTING -p udp -s 0.0.0.0/0 -d 1.1.1.1 --dport 4172 -j DNAT --to [**NetworkA Public IP**]:6666I've attempted outbound NAT, and port forwarding rules - but no joy, so clearly i'm doing something wrong.
Any insight would be most appreciated.
Best,
G
-
@keyframe said in DNAT confusion:
Using a different openWRT firewall I was able to get this to work using the following rules:
iptables -t nat -A PREROUTING -p tcp -s 0.0.0.0/0 -d 1.1.1.1 --dport 4172 -j DNAT --to [NetworkA Public IP]:6666
iptables -t nat -A PREROUTING -p udp -s 0.0.0.0/0 -d 1.1.1.1 --dport 4172 -j DNAT --to [NetworkA Public IP]:6666This only works in conjunction with a masquerading rule, replacing the source IP in forwarded packets with the outbound interface IP.
Maybe OpenWrt does the masquerading on all traffic, but pfSense does this on locally configured subnets only by default.So you can do the forwarding with a port forwarding rule:
interface: WAN or whatever the traffic is coming in
protocol: TCP/UDP
source: any
destination IP: 1.1.1.1
dest port: 4172
target IP: Network A IP
target port:And for the masquerading you need to add an outbound NAT rule. Activate the hybrid mode, save and add a rule:
interface: WAN or whatever the traffic is going out to A
protocol: TCP/UDP
source: any
destination IP: Network A IP
dest port: 6666
translation: Interface address -
Thank you Viragomann,
It worked -- though I did have to make a few unexpected tweaks (this is very likely due to my very incomplete understanding of what's actually going on here).
For posterity, my settings are below:
Port Forwarding Rule:
interface: LAN2 (which is where my pcoip device lives)
protocol: TCP/UDP
source: any
dest IP: 1.1.1.1
dest port: 4172
target IP: NetworkA IP
target port: 6666Outbound NAT Rule:
interface: WAN
source: any
dest NETWORK: [upstream subnet ]
dest port: [no such parm for the network]
translation: interface addressMy current setup is:
isp modem -> udm pro -> pfsense -> pcoip zero client
Thank you again for taking the time -- there is soooo much to learn!
Best,
G