Source NAT and port forwarding

tramp_sergey · Jan 30, 2025, 4:56 PM

All IPs here are just for example.

Who is starting the conversation? The 2.2.2.2 or the 192.168.2.2 ??
A client with src 1.1.1.1:<any port>
2.2.2.2 is WAN port IP address
192.168.2.2 is a server over the LAN port

Who is wanting to talk to who on port 22, is it your device on your wan wanting to talk to device on your lan, or is the lan device wanting to talk to the device on your wan. Who is starting the conversation to the other one?
The client tries to connect to 2.2.2.2:2222.
The pfsense should NAT the connection with the source IP of the LAN interface to 192.168.2.2:443

johnpoz · Jan 30, 2025, 5:10 PM

@tramp_sergey so some public IP out on the internet hits your pfsense wan which your calling 2.2.2.2 on port 22, and you want to forward that to 192.168.2.2 on your pfsense lan

And you want this to look like this public IP on the internet is coming from your pfsense lan IP 192.168.2.x

Well none of those Nats you said you tried would work.. As you see in my example the interface is my cam interface.

So your outbound nat should be on pfsense lan, and the source would be any or whatever source IP out on the internet is going to want to talk to your ssh server that you are forwarding and the destination would be your 192.168.2.2 address, and the nat address would be your Lan Address on pfsense.

Curious why do you think you need to do this? Does the 192.168.2.2 device not have a gateway set, or is using something other than pfsense as its gateway, or a firewall that won't allow this public IP to talk to it?

public IP -----> 2.2.2.2:22 (wan) pfsense (lan) 192.168.2.1 ----> 192.168.2.2:22

Your outbound nat interface is pfsense lan, the nat address is lan address. Now when publicIP hits pfsense wan and pfsense does it port forward to 192.168.2.2:22, the outbound nat in pfsense will change the source IP to 192.168.2.1 (pfsense address) so your 192.168.2.2 will think ssh is coming from 192.168.2.1, when he sends back the answer pfsense will know oh I need to send this back to PublicIP. And to the publicIP it will think the return traffic coming from pfsense 2.2.2.2 wan IP.

tramp_sergey · Jan 30, 2025, 7:38 PM

@johnpoz If I understand correctly, you mean this configuration

But it doesn't work also. I don't see any packets on the LAN, but logs show that the traffic is passed.

The scheme is more correct:
public IP -----> 2.2.2.2:2222 (wan) pfsense (lan) 192.168.2.254 ----> 192.168.2.2:22

The device has a different default gateway and it's easier to configure NAT than create a static route on the device and other devices in the location.

SteveITS · Jan 30, 2025, 7:44 PM

@tramp_sergey The source port on Internet connections is normally random so will basically never be "22"...change that to any/*.

johnpoz · Jan 30, 2025, 7:53 PM

@tramp_sergey said in Source NAT and port forwarding:

But it doesn't work also. I don't see any packets on the LAN, but logs show that the traffic is passed.

If your not seeing any traffic on your lan then your port forward isn't working.. As mentioned by @SteveITS that source port is wrong..

Per your updated drawing of mine, the destination hitting pfsense wan IP on 2.2.2.2 is 2222 but that has nothing to do with the source port the public IP sent from, which is almost always going to be some random port 1024 or above.. Can you show your port forward, because if you are calling out source port there, its not going to work..

tramp_sergey · Jan 30, 2025, 8:05 PM

@johnpoz I don't have rules for port forwarding.
Do you mean I should have two NAT rules in that case:
first for ports
second for IPs
?

SteveITS · Jan 30, 2025, 8:16 PM

@tramp_sergey NAT rules are port forwards. Here's an example:

or one with a source defined:

johnpoz · Jan 30, 2025, 8:21 PM

@tramp_sergey said in Source NAT and port forwarding:

I don't have rules for port forwarding.

Well then how do you think traffic from some public IP on the internet hitting your wan is going to get sent to this 192.168.2.2 address on a different port?

Here is a port forward I have for my plex server

So some IP on the internet hits my pfsense wan PublicIP.. to port 23040, pfsense forwards that to my box running plex at 192.168.9.10 port 32400

But it will only do that if the source IP is in my alias pfb_allowed.. Which is really any IP in the US or belgium currently - and some other IPs that plex uses to validate plex is available, and other ips that check if my plex is up - and if not warns me that plex is down.

But some IP out on the internet hitting your wan IP isn't just going to magically get sent to your 192.168.2.2 IP on some other port.

tramp_sergey · Jan 31, 2025, 7:08 AM

@SteveITS @johnpoz I tried to use the port forwarding NAT, it works, but it doesn't change the source IP address to the LAN address and I haven't found any option for that here.

johnpoz · Jan 31, 2025, 7:08 AM

@tramp_sergey you need both the port forward and the outbound nat to change it to the IP of pfsense interface on your lan.

tramp_sergey · Jan 31, 2025, 7:12 AM

@johnpoz I understand the logic now.
I've added the rule yet, and it works as expected now.

Thanks a lot for your help and patience!