Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How can I configure PFSense to enable full cone nat

    Scheduled Pinned Locked Moved NAT
    6 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • insmodI
      insmod
      last edited by

      I need full cone nat in the PFSense,How can I make it ?
      I use 2.6.0-RELEASE (amd64) of it,shall I patch the kernel or pf ?

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @insmod
        last edited by

        @insmod full cone is I believe another term for static nat.. Ie the source port is not changed.. So if your internet client uses source port 4444 when it creates the traffic, when pfsense nats it - it would change the source port and use itswanIP:4444 as the source.

        You can enable that in your outbound nat, create a hybrid and setup whatever your source IP is to use static nat..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        insmodI 1 Reply Last reply Reply Quote 1
        • insmodI
          insmod @johnpoz
          last edited by

          @johnpoz it's that right ?
          fullcone.jpg

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @insmod
            last edited by

            @insmod easy enough to validate..

            Look in your state table.. Notice that the source port used on the public IP is different than what your client used.. Now change it to static - now look at new states being created.. Is the source port the same as what the client used..

            staticnat.jpg

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 1
            • insmodI
              insmod
              last edited by insmod

              I find it's NAT3,Port Restricted NAT,but not NAT1 Full Cone NAT.

              https://reviews.freebsd.org/D11137
              https://forums.freebsd.org/threads/pf-submission-stuck-waiting-for-nearly-4-years.79052/

              I found the freebsd developer did not want to commit the code,I thought pfSense can commit the patch by ourselves.

              1 Reply Last reply Reply Quote 0
              • insmodI
                insmod
                last edited by 

                Bluntly, no.

Not without a much better documented use case for this patch, along with tests and some sort of indications that the author (or someone...) will maintain it. Right now it is abandoned, and doesn't even apply any more.

This patch makes fairly deep changes to the NAT code, changes which I currently do not understand and do not have the motivation or energy to study. If it gets committed and breaks something I'm going to be the one who has to fix it, so ... no, not unless someone can present a compelling case that this actually improves anything, that it is correct and that if there are issues they will work on them.

                From the freebsd forum,I guess the pfSense guys can make it ?

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.