Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Is it possible to NAT one LAN interface but not another?

    NAT
    3
    7
    6616
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      abqcheeks last edited by

      I have a pfsense box with 3 interfaces, WAN, LAN, and LAN2.  A /27 public subnet is routed to this box from the ISP.  I need to route the /27 to the LAN interface.  The user has their network's firewall in the /27 subnet, along with some other public hosts.  The LAN2 network contains a public wifi AP and needs to be NATted by the pfsense box.

      Coming from a cisco background, the WAN port would be "ip nat outside", LAN2 would be "ip nat inside", and LAN would not be NATted at all, just straight routing.

      What's the best way to do this with pfsense?  I found the option to turn off NAT entirely, but I need to NAT LAN2.  Do I need to do 1:1 NAT for the IPs in the /27?  I'd rather not NAT the path from WAN to LAN, since the user's firewall is already NATting their internet traffic.  (I don't have the option to eliminate that internal firewall and have the pfsense box do all the work).

      Thanks in advance for any advice you can give.

      Mark

      1 Reply Last reply Reply Quote 0
      • M
        Metu69salemi last edited by

        Manual outbound nat is what your looking for. there is possibility to check "Do Not NAT"

        1 Reply Last reply Reply Quote 0
        • C
          cmb last edited by

          Yeah outbound NAT, don't need "do not NAT" in most all cases though, just NAT what needs to be NATed and everything else will be routed.

          1 Reply Last reply Reply Quote 0
          • A
            abqcheeks last edited by

            Thanks for the tips, that worked like a charm.

            For the record, I did need to select "do not NAT" on the "open" interface.  NAT appears to be the default.

            Thanks again!

            Mark

            1 Reply Last reply Reply Quote 0
            • C
              cmb last edited by

              NAT is not the default when advanced outbound NAT is enabled, anything that doesn't match an outbound NAT rule is routed. You just need to match only private subnets on outbound NAT, though excluding them by "do not NAT" is fine it's unnecessary in that instance, your source of outbound NAT rules shouldn't be "any".

              1 Reply Last reply Reply Quote 0
              • M
                Metu69salemi last edited by

                I'm glad that i was able to help you

                1 Reply Last reply Reply Quote 0
                • A
                  abqcheeks last edited by

                  cmb: you are correct.  I deleted those rules (the ones I had selected "do not nat" for)
                  and that works fine.  Since the rules get auto-created when you select "manual", I had
                  the (wrong) impression they were necessary.  Makes more sense now.

                  Thanks,

                  Mark

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post