• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Is it possible to NAT one LAN interface but not another?

Scheduled Pinned Locked Moved NAT
7 Posts 3 Posters 6.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A
    abqcheeks
    last edited by Jul 19, 2011, 5:40 AM

    I have a pfsense box with 3 interfaces, WAN, LAN, and LAN2.  A /27 public subnet is routed to this box from the ISP.  I need to route the /27 to the LAN interface.  The user has their network's firewall in the /27 subnet, along with some other public hosts.  The LAN2 network contains a public wifi AP and needs to be NATted by the pfsense box.

    Coming from a cisco background, the WAN port would be "ip nat outside", LAN2 would be "ip nat inside", and LAN would not be NATted at all, just straight routing.

    What's the best way to do this with pfsense?  I found the option to turn off NAT entirely, but I need to NAT LAN2.  Do I need to do 1:1 NAT for the IPs in the /27?  I'd rather not NAT the path from WAN to LAN, since the user's firewall is already NATting their internet traffic.  (I don't have the option to eliminate that internal firewall and have the pfsense box do all the work).

    Thanks in advance for any advice you can give.

    Mark

    1 Reply Last reply Reply Quote 0
    • M
      Metu69salemi
      last edited by Jul 19, 2011, 7:27 AM

      Manual outbound nat is what your looking for. there is possibility to check "Do Not NAT"

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by Jul 19, 2011, 8:13 AM

        Yeah outbound NAT, don't need "do not NAT" in most all cases though, just NAT what needs to be NATed and everything else will be routed.

        1 Reply Last reply Reply Quote 0
        • A
          abqcheeks
          last edited by Jul 20, 2011, 12:35 AM

          Thanks for the tips, that worked like a charm.

          For the record, I did need to select "do not NAT" on the "open" interface.  NAT appears to be the default.

          Thanks again!

          Mark

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by Jul 20, 2011, 3:32 AM

            NAT is not the default when advanced outbound NAT is enabled, anything that doesn't match an outbound NAT rule is routed. You just need to match only private subnets on outbound NAT, though excluding them by "do not NAT" is fine it's unnecessary in that instance, your source of outbound NAT rules shouldn't be "any".

            1 Reply Last reply Reply Quote 0
            • M
              Metu69salemi
              last edited by Jul 20, 2011, 12:43 PM

              I'm glad that i was able to help you

              1 Reply Last reply Reply Quote 0
              • A
                abqcheeks
                last edited by Jul 22, 2011, 5:27 AM

                cmb: you are correct.  I deleted those rules (the ones I had selected "do not nat" for)
                and that works fine.  Since the rules get auto-created when you select "manual", I had
                the (wrong) impression they were necessary.  Makes more sense now.

                Thanks,

                Mark

                1 Reply Last reply Reply Quote 0
                7 out of 7
                • First post
                  7/7
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received