Firewall: NAT: 1:1 problems



  • Hi,

    I have pfsense beta version      2.0-BETA4  () NanoBsd version.

    I've been strugling to get the 1:1 nat forwarding working.

    Let me quickly explain what the setup is.

    I have 3 interfaces.

    1 wan = wi-fi  (interface) 192.168.10.1/24
    2 lan  = ethernet1 interface where DHCP is running (for internet xs) 192.168.1.1/24
    3 lan  = ethernet2 interface which has static ip's for ip-phones 172.16.10.100

    Now i want to have 1 external ip address that will be natted for the internet access and 1 external ip that will be 1:1 nat to the ethernet 2 interface

    These are the steps i followed.

    1. i've added a VIP (virtual ip proxy-arp 192.168.10.2 to my wan interface)
    2. here i am struggling

    I go to firewall:nat:1:1 and select the wan interface

    As source address i use the ethernet2 address that is used on the phone = 172.16.10.101
    destination = network ? (192.168.10.0)
    and as external subnet is use 192.168.10.2

    However this is not working ..

    What am i doing wrong ?


  • Rebel Alliance Developer Netgate

    The 1:1 NAT layout is a tad confusing. There were some more commits on it last night that might clear things up, I haven't updated any of my VMs to see what it looks like yet though.

    Source is the internal IP, destination is where the traffic is going that will match the rule (usually "any"), external address is the "public" part of the 1:1, so the 192.168.10.2 IP would go there.



  • Some of the changes include a reordering of the fields, making "any" the default on destination, and descriptions for all of the address fields, including hints about what should go in each.



  • well i've tried it but the forwarding just doesnt work .. i see entries when i set packet inspection on but nothing arrives on my destination machine.

    I might try the upgrade first .



  • @Citymesh:

    well i've tried it but the forwarding just doesnt work .. i see entries when i set packet inspection on but nothing arrives on my destination machine.

    I might try the upgrade first .

    Have you configured a firewall rule to allow the traffic through?

    If you are filtering by destination you need to use the internal ip.

    The NAT defines the mapping between the internal and external Ip address however the traffic will still pass through the packet filter and therefore will need appropriate rules to be configured on the incoming interface.  ;)

    Hope that helps.


Log in to reply