• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Monitor NAT rules

Scheduled Pinned Locked Moved NAT
rulesnatlogs
11 Posts 4 Posters 1.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    Shan lapierre
    last edited by Mar 13, 2024, 3:56 PM

    Hi everyone. I configured PFsense to receive traffic to my firewall on a specific port from a specific public IP.
    I created both a NAT rule and a firewall rule.
    Everything is working (so the external traffic reaches me on an endpoint inside my network that is listening on that specific port).
    What I don't understand is that if I go into the firewall rules I don't see the number of packets increasing in the rule I defined. And if I remove the NAT rule, the traffic continues to come to me.
    How is it possible?
    There is a way to analyze traffic coming over the NAT.
    I have already looked in Status-->System logs (also using the filters on the source public IP or destination IP, but I can't find anything).
    How is it possible?
    Thank you

    B V 2 Replies Last reply Mar 13, 2024, 4:10 PM Reply Quote 0
    • B
      Bob.Dig LAYER 8 @Shan lapierre
      last edited by Mar 13, 2024, 4:10 PM

      @Shan-lapierre You have to Reset the firewall state table if you want to see immediate results of your changes.

      S 1 Reply Last reply Mar 13, 2024, 5:11 PM Reply Quote 0
      • S
        Shan lapierre @Bob.Dig
        last edited by Mar 13, 2024, 5:11 PM

        @Bob-Dig said in Monitor NAT rules:

        @Shan-lapierre You have to Reset the firewall state table if you want to see immediate results of your changes.

        Hi, can you Tell me how to do that?
        In others cases I didn't need to reset anything to see rule correctly matched.
        Anyway let try.

        1 Reply Last reply Reply Quote 0
        • V
          viragomann @Shan lapierre
          last edited by Mar 13, 2024, 6:01 PM

          @Shan-lapierre said in Monitor NAT rules:

          What I don't understand is that if I go into the firewall rules I don't see the number of packets increasing in the rule I defined.

          This doesn't count packets. It just shows states and bytes.

          And if I remove the NAT rule, the traffic continues to come to me.

          As long as the connection persists, it can be used, even if the rule was already removed.

          Resetting states can be done in Diagnostic > States

          S 1 Reply Last reply Mar 14, 2024, 10:09 AM Reply Quote 0
          • S
            Shan lapierre @viragomann
            last edited by Mar 14, 2024, 10:09 AM

            HI, figured out.
            The envolved rule is NAT one because it pass directly (because is not associated to any rules).
            Just a question.
            If i try to link this NAT to a rule, I can only choose from "WAN" rules and not from "FLOATING" rules.
            Is this a normal behaviour?

            Regards

            V G 2 Replies Last reply Mar 14, 2024, 10:41 AM Reply Quote 0
            • V
              viragomann @Shan lapierre
              last edited by Mar 14, 2024, 10:41 AM

              @Shan-lapierre
              You configure the NAT rule on a certain interface. Why should it add a floating rule then?

              S 1 Reply Last reply Mar 14, 2024, 11:41 AM Reply Quote 0
              • S
                Shan lapierre @viragomann
                last edited by Mar 14, 2024, 11:41 AM

                @viragomann Sorry for probably dummy question. I was asking me why I can link nat rule to a Wan rule and not to a floating rule.
                That's all.

                Nat rules take precedence to a floating rules?
                Regards

                V 1 Reply Last reply Mar 14, 2024, 11:54 AM Reply Quote 0
                • V
                  viragomann @Shan lapierre
                  last edited by Mar 14, 2024, 11:54 AM

                  @Shan-lapierre said in Monitor NAT rules:

                  Nat rules take precedence to a floating rules?

                  NAT rules do net address translation. Floating or normal firewall rules do firewalling.
                  NAT port forwarding is done before firewalling.

                  See the docs: Firewall/NAT Processing Order Example

                  1 Reply Last reply Reply Quote 1
                  • G
                    Gertjan @Shan lapierre
                    last edited by Mar 14, 2024, 12:08 PM

                    @Shan-lapierre said in Monitor NAT rules:

                    The envolved rule is NAT one because it pass directly (because is not associated to any rules).

                    Really ?
                    You want to make something that doesn't exist in the manual ?

                    When you create a NAT rule :

                    b4d317fe-19f8-42aa-93d0-9b98076509bf-image.png

                    the needed "WAN" firewall rule will also be created (and is linked to the NAT rule).

                    At the bottom of the rule you can find this :

                    fe4d0676-6cd0-4141-b83a-49445b7c6f7e-image.png

                    This is my NAT rule where I give access to two devices (servers, somewhere on the Internet, designated with the alias SYS & VPS, to my internal (on LAN) NAS.

                    You could do this : edit the firewall rule that was created with the NAT rule :

                    db97e1b5-d1b1-4750-bb75-2ddeeacbd881-image.png

                    and check "Log ... ".

                    From now on : go here : The firewall log :

                    28857545-dbdc-413c-a9f5-ac5a038b0449-image.png

                    This :

                    7e8a48fe-3642-4619-af61-f958f382aed7-image.png

                    also shows the packets passed, states etc.

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    S 1 Reply Last reply Mar 14, 2024, 12:40 PM Reply Quote 0
                    • S
                      Shan lapierre @Gertjan
                      last edited by Mar 14, 2024, 12:40 PM

                      @Gertjan said in Monitor NAT rules:

                      @Shan-lapierre said in Monitor NAT rules:

                      The envolved rule is NAT one because it pass directly (because is not associated to any rules).

                      Really ?
                      You want to make something that doesn't exist in the manual ?

                      When you create a NAT rule :

                      b4d317fe-19f8-42aa-93d0-9b98076509bf-image.png

                      the needed "WAN" firewall rule will also be created (and is linked to the NAT rule).

                      At the bottom of the rule you can find this :

                      fe4d0676-6cd0-4141-b83a-49445b7c6f7e-image.png

                      This is my NAT rule where I give access to two devices (servers, somewhere on the Internet, designated with the alias SYS & VPS, to my internal (on LAN) NAS.

                      You could do this : edit the firewall rule that was created with the NAT rule :

                      db97e1b5-d1b1-4750-bb75-2ddeeacbd881-image.png

                      and check "Log ... ".

                      From now on : go here : The firewall log :

                      28857545-dbdc-413c-a9f5-ac5a038b0449-image.png

                      This :

                      7e8a48fe-3642-4619-af61-f958f382aed7-image.png

                      also shows the packets passed, states etc.

                      Thank you for reply.
                      Anyway, manual say this:

                      e831d0a1-1dc3-41fe-9eae-59e612c6eaa8-image.png

                      And infact my NAT rule was created whit "Pass" flag and pf doesn't created any fw rule.

                      G 1 Reply Last reply Mar 14, 2024, 1:10 PM Reply Quote 0
                      • G
                        Gertjan @Shan lapierre
                        last edited by Gertjan Mar 14, 2024, 1:11 PM Mar 14, 2024, 1:10 PM

                        @Shan-lapierre said in Monitor NAT rules:

                        And infact my NAT rule was created whit "Pass" flag and pf doesn't created any fw rule.

                        I'm still looking for a usage of that "Pass" case ^^

                        Normally, a NAT rule translates traffic coming (initiated) somewhere on 'the WAN' (the Internet) and the address (WAN IP) (and port) has to be mapped == translated (a,d port) to a LAN addresses, so it can reach this device.
                        This needs of course a WAN 'firewall' rules, as by default nothing can enter the WAN - everything is blocked by default.
                        A NAT rule without an accompanying firewall rule .... won't work, as traffic will never reach the NAT rule, as traffic can not enter into the WAN interface.

                        I'm not saying other types of NAT exit, they do.

                        From what I've read :

                        receive traffic to my firewall on a specific port from a specific public IP.

                        Everything is working (so the external traffic reaches me on an endpoint inside my network that is listening on that specific port).

                        your use the classic method, and you need a auto generated firewall rule on the WAN interface.

                        No "help me" PM's please. Use the forum, the community will thank you.
                        Edit : and where are the logs ??

                        1 Reply Last reply Reply Quote 0
                        11 out of 11
                        • First post
                          11/11
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                          This community forum collects and processes your personal information.
                          consent.not_received