Monitor NAT rules

Shan lapierre · Mar 13, 2024, 3:56 PM

Hi everyone. I configured PFsense to receive traffic to my firewall on a specific port from a specific public IP.
I created both a NAT rule and a firewall rule.
Everything is working (so the external traffic reaches me on an endpoint inside my network that is listening on that specific port).
What I don't understand is that if I go into the firewall rules I don't see the number of packets increasing in the rule I defined. And if I remove the NAT rule, the traffic continues to come to me.
How is it possible?
There is a way to analyze traffic coming over the NAT.
I have already looked in Status-->System logs (also using the filters on the source public IP or destination IP, but I can't find anything).
How is it possible?
Thank you

Bob.Dig · Mar 13, 2024, 4:10 PM

@Shan-lapierre You have to Reset the firewall state table if you want to see immediate results of your changes.

Shan lapierre · Mar 13, 2024, 5:11 PM

@Bob-Dig said in Monitor NAT rules:

@Shan-lapierre You have to Reset the firewall state table if you want to see immediate results of your changes.

Hi, can you Tell me how to do that?
In others cases I didn't need to reset anything to see rule correctly matched.
Anyway let try.

viragomann · Mar 13, 2024, 6:01 PM

@Shan-lapierre said in Monitor NAT rules:

What I don't understand is that if I go into the firewall rules I don't see the number of packets increasing in the rule I defined.

This doesn't count packets. It just shows states and bytes.

And if I remove the NAT rule, the traffic continues to come to me.

As long as the connection persists, it can be used, even if the rule was already removed.

Resetting states can be done in Diagnostic > States

Shan lapierre · Mar 14, 2024, 10:09 AM

HI, figured out.
The envolved rule is NAT one because it pass directly (because is not associated to any rules).
Just a question.
If i try to link this NAT to a rule, I can only choose from "WAN" rules and not from "FLOATING" rules.
Is this a normal behaviour?

Regards

viragomann · Mar 14, 2024, 10:41 AM

@Shan-lapierre
You configure the NAT rule on a certain interface. Why should it add a floating rule then?

Shan lapierre · Mar 14, 2024, 11:41 AM

@viragomann Sorry for probably dummy question. I was asking me why I can link nat rule to a Wan rule and not to a floating rule.
That's all.

Nat rules take precedence to a floating rules?
Regards

viragomann · Mar 14, 2024, 11:54 AM

@Shan-lapierre said in Monitor NAT rules:

Nat rules take precedence to a floating rules?

NAT rules do net address translation. Floating or normal firewall rules do firewalling.
NAT port forwarding is done before firewalling.

See the docs: Firewall/NAT Processing Order Example

Gertjan · Mar 14, 2024, 12:08 PM

@Shan-lapierre said in Monitor NAT rules:

The envolved rule is NAT one because it pass directly (because is not associated to any rules).

Really ?
You want to make something that doesn't exist in the manual ?

When you create a NAT rule :

the needed "WAN" firewall rule will also be created (and is linked to the NAT rule).

At the bottom of the rule you can find this :

This is my NAT rule where I give access to two devices (servers, somewhere on the Internet, designated with the alias SYS & VPS, to my internal (on LAN) NAS.

You could do this : edit the firewall rule that was created with the NAT rule :

and check "Log ... ".

From now on : go here : The firewall log :

This :

also shows the packets passed, states etc.

Shan lapierre · Mar 14, 2024, 1:10 PM

@Gertjan said in Monitor NAT rules:

@Shan-lapierre said in Monitor NAT rules:

The envolved rule is NAT one because it pass directly (because is not associated to any rules).

Really ?
You want to make something that doesn't exist in the manual ?

When you create a NAT rule :

the needed "WAN" firewall rule will also be created (and is linked to the NAT rule).

At the bottom of the rule you can find this :

This is my NAT rule where I give access to two devices (servers, somewhere on the Internet, designated with the alias SYS & VPS, to my internal (on LAN) NAS.

You could do this : edit the firewall rule that was created with the NAT rule :

and check "Log ... ".

From now on : go here : The firewall log :

This :

also shows the packets passed, states etc.

Thank you for reply.
Anyway, manual say this:

And infact my NAT rule was created whit "Pass" flag and pf doesn't created any fw rule.

Gertjan · Mar 14, 2024, 1:11 PM

@Shan-lapierre said in Monitor NAT rules:

And infact my NAT rule was created whit "Pass" flag and pf doesn't created any fw rule.

I'm still looking for a usage of that "Pass" case ^^

Normally, a NAT rule translates traffic coming (initiated) somewhere on 'the WAN' (the Internet) and the address (WAN IP) (and port) has to be mapped == translated (a,d port) to a LAN addresses, so it can reach this device.
This needs of course a WAN 'firewall' rules, as by default nothing can enter the WAN - everything is blocked by default.
A NAT rule without an accompanying firewall rule .... won't work, as traffic will never reach the NAT rule, as traffic can not enter into the WAN interface.

I'm not saying other types of NAT exit, they do.

From what I've read :

receive traffic to my firewall on a specific port from a specific public IP.

Everything is working (so the external traffic reaches me on an endpoint inside my network that is listening on that specific port).

your use the classic method, and you need a auto generated firewall rule on the WAN interface.