Destination Nat

  • Hi  :D
    I'm a little confused how I could do this rule in pfsense.

    iptables -t nat -I PREROUTING -p tcp -s –dport 1863 –j DNAT --to-destination

  • If I read that correctly you want any connection from 192.168.0.x/24 on port 1863 to be directed instead to on port 1863?

    A simple NAT rule using that logic, on the LAN interface, should do what you're after.

  • Thanks for the help
    Yes I want everything to go out the LAN destination with 1860 forwarded to
    that IP.
    And that ip which had undertaken to send to the web.
    It would be for software IMControl
    I tried manual outbound

    LAN * * 1863 1863  NO

    Port Foward

    LAN TCP * WAN net 1863 1863

    I do not know how to do that actually

  • (off the top of my head - the documentation will cover more) you'd set up a port forward on the LAN interface for anything EXCEPT on port 1863, to direct that to If you search the forum for running a transparent proxy on another host you'll find mountains of information, since it's exactly the same problem.

  • Thanks for the help
    But I do not know what I might be doing wrong in linux very simple and
    pfsense am little confused
    let's imagine a situation
    A network and I have a machine with apache
    How to make all Internet packets destined for port 80 is forwarded to
    I created a rule in NAT
    LAN TCP * * * 80 (HTTP) 80 (HTTP)


    13:44:09.153024 ARP, Request who-has tell, length 46
    13:44:09.153616 ARP, Reply is-at 00:0c:29:7a:b1:53, length 46
    13:44:09.153618 IP > tcp 0
    13:44:09.161122 IP > ICMP redirect to host, length 56
    13:44:09.161124 IP > ICMP host unreachable - admin prohibited, length 56
    13:44:12.156867 IP > tcp 0

  • Did you search the forum for those other threads?

  • Yes I tried
    and the rule in the NAT works
    LAN  TCP  *  *  *  80 (HTTP)  80 (HTTP)

    But the ip to respond to GW and the inverse is also true

  • The ICMP redirect indicates some wrong or weird routing config. The ICMP unreachable either the same, or that you're rejecting the traffic with firewall rules.