Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNAT confusion

    Scheduled Pinned Locked Moved
    NAT
    2
    3
    264
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      keyframe
      last edited by keyframe

      Hello everyone,

      New to PFSense. Please bear with me.

      I have a piece of software that only communicates on one port [4172]. This piece of software is running on several machines on NetworkA. NetworkA is behind a firewall that has SNAT rules (that have been tested and shown to work) that redirect traffic from NetworkA's WAN on ports 6666-6670 to the appropriate machine's port 4172 inside NetworkA.

      I'm currently inside NetworkB, behind a pfsense firewall, attempting to redirect packets destined to [ficticious ip address] 1.1.1.1 to NetworkA's public IP, at port 6666.

      Using a different openWRT firewall I was able to get this to work using the following rules:

      iptables -t nat -A PREROUTING -p tcp -s 0.0.0.0/0 -d 1.1.1.1 --dport 4172 -j DNAT --to [**NetworkA Public IP**]:6666
iptables -t nat -A PREROUTING -p udp -s 0.0.0.0/0 -d 1.1.1.1 --dport 4172 -j DNAT --to [**NetworkA Public IP**]:6666

      I've attempted outbound NAT, and port forwarding rules - but no joy, so clearly i'm doing something wrong.

      Any insight would be most appreciated.

      Best,

      G

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @keyframe
        last edited by

        @keyframe said in DNAT confusion:

        Using a different openWRT firewall I was able to get this to work using the following rules:
        iptables -t nat -A PREROUTING -p tcp -s 0.0.0.0/0 -d 1.1.1.1 --dport 4172 -j DNAT --to [NetworkA Public IP]:6666
        iptables -t nat -A PREROUTING -p udp -s 0.0.0.0/0 -d 1.1.1.1 --dport 4172 -j DNAT --to [NetworkA Public IP]:6666

        This only works in conjunction with a masquerading rule, replacing the source IP in forwarded packets with the outbound interface IP.
        Maybe OpenWrt does the masquerading on all traffic, but pfSense does this on locally configured subnets only by default.

        So you can do the forwarding with a port forwarding rule:
        interface: WAN or whatever the traffic is coming in
        protocol: TCP/UDP
        source: any
        destination IP: 1.1.1.1
        dest port: 4172
        target IP: Network A IP
        target port:

        And for the masquerading you need to add an outbound NAT rule. Activate the hybrid mode, save and add a rule:
        interface: WAN or whatever the traffic is going out to A
        protocol: TCP/UDP
        source: any
        destination IP: Network A IP
        dest port: 6666
        translation: Interface address

        1 Reply Last reply Reply Quote 0
        • K
          keyframe
          last edited by

          Thank you Viragomann,

          It worked -- though I did have to make a few unexpected tweaks (this is very likely due to my very incomplete understanding of what's actually going on here).

          For posterity, my settings are below:

          Port Forwarding Rule:
          interface: LAN2 (which is where my pcoip device lives)
          protocol: TCP/UDP
          source: any
          dest IP: 1.1.1.1
          dest port: 4172
          target IP: NetworkA IP
          target port: 6666

          Outbound NAT Rule:
          interface: WAN
          source: any
          dest NETWORK: [upstream subnet ]
          dest port: [no such parm for the network]
          translation: interface address

          My current setup is:

          isp modem -> udm pro -> pfsense -> pcoip zero client

          Thank you again for taking the time -- there is soooo much to learn!

          Best,

          G

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.