Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How do port forward negations work with 1:1 NAT?

    Scheduled Pinned Locked Moved NAT
    6 Posts 2 Posters 545 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • senseivitaS
      senseivita
      last edited by

      In a intranet-natting-proxy combo pfSense, 1:1 NAT rules don't seem to be overridden by No RDR as the docs say the should.

      The negated traffic rule is for the web traffic which is handled by in-firewall proxy listening on any address, thus in my theory if left untranslated the proxy should pick it right up, right? But that's not what happens. The docs don't specify if No RDR rules continue to take precedence over 1:1s.

      I fixed it by simply overriding the traffic forwarding it to the firewall itself — well, to a VIP address for the proxy to have a little extra flexibility in the future since I was gonna NAT anyway — but I think it was more elegant not forwarding it at all before it made it to the proxy.

      There's always the chance I forgot something too… made some mistake, whatever. The whole NAT ruleset is tiny, most of the work is in the reverse proxy thus it should be easy to spot, and yet I'm failing miserably. So, if you please, could you point it out if there's something wrong with it?

      Here's all the NAT:

      Thanks!

      Missing something? Word endings, maybe? I included a free puzzle in this msg if you solv--okay, I'm lying. It's dyslexia, makes me do that, sorry! Just finish the word; they're rarely misspelled, just incomplete. Yeah-yeah-I know. Same thing.

      DerelictD 1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate @senseivita
        last edited by Derelict

        @senseivita 1:1 NAT rules do not have any automatic firewall rule generation capabilities.

        If you use 1:1 NAT it is up to you to make the necessary firewall rules to pass inbound traffic.

        Port forwards will, by default, maintain these firewall rules automatically.

        Maybe that's the difference. The rules in this case would be on Firewall > Rules, BACKBONE and pass traffic to the destination POST-NAT address (The 1:1 internal address).

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        senseivitaS 1 Reply Last reply Reply Quote 0
        • senseivitaS
          senseivita @Derelict
          last edited by

          @Derelict That didn't even cross my mind when posting, fortunately because of <see-below>, I was forced to think about it when I originally did the rule set (rfc1918 is a huge misnomer. Here, it just means "known addresses"):

          What you mentioned about the automatically-maintained rules got me thinking though; OSPF rules wouldn't work if there was a higher, ultra-broad rfc1918 → * rule. There had to be an explicit rule for it or it wouldn't work. I don't know if it was the protocol or the multicast range, I was too sleep deprived already to keep going, but could there be some of that too with NAT?

          It's supposed to be basic, but for me, NAT (after multicast routing) is probably the most confusing thing to do, so I appreciate you answering even if it's not beyond of what you have, because you already indirectly helped me confirm some things. Thanks!

          Missing something? Word endings, maybe? I included a free puzzle in this msg if you solv--okay, I'm lying. It's dyslexia, makes me do that, sorry! Just finish the word; they're rarely misspelled, just incomplete. Yeah-yeah-I know. Same thing.

          DerelictD 1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate @senseivita
            last edited by

            @senseivita It is impossible for anyone to know what that rule set actually does without seeing the contents of those aliases too.

            @senseivita said in How do port forward negations work with 1:1 NAT?:

            (rfc1918 is a huge misnomer. Here, it just means "known addresses")

            It is whatever you define in the rfc1918 alias.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            senseivitaS 1 Reply Last reply Reply Quote 0
            • senseivitaS
              senseivita @Derelict
              last edited by

              @Derelict It's a misnomer only because it's much broader than than RFC1918, I thought it was implied with IPv6, sorry about that. rfc1918 is a network(s) type alias, including:

              • IPv4: Former classes A, B and C
              • IPv4: APIPA
              • IPv4: 2x public addresses
              • IPv6: 2x global /64s
              • IPv6: 1x global /48
              • IPv6: Unique local range
              • IPv6: Link-local range

              Though, it only needs to cover class A as you mentioned, the VIP address is the C range but the post-NAT is in the A. Everything is the A, C is for p2p soft-of-connections in /31s (tunnels) and /32s (VIPs, routed with OSPF).

              Missing something? Word endings, maybe? I included a free puzzle in this msg if you solv--okay, I'm lying. It's dyslexia, makes me do that, sorry! Just finish the word; they're rarely misspelled, just incomplete. Yeah-yeah-I know. Same thing.

              DerelictD 1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate @senseivita
                last edited by

                @senseivita Still no way to know why you are experiencing issues looking at that rule set. With the 1:1 in place you need to pass the desired inbound traffic to 10.7.0.229 and 10.16.0.35. Like I said, port forwards, by default, make this rule for you. 1:1 NAT does not.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.