Is it possible to NAT one LAN interface but not another?

  • I have a pfsense box with 3 interfaces, WAN, LAN, and LAN2.  A /27 public subnet is routed to this box from the ISP.  I need to route the /27 to the LAN interface.  The user has their network's firewall in the /27 subnet, along with some other public hosts.  The LAN2 network contains a public wifi AP and needs to be NATted by the pfsense box.

    Coming from a cisco background, the WAN port would be "ip nat outside", LAN2 would be "ip nat inside", and LAN would not be NATted at all, just straight routing.

    What's the best way to do this with pfsense?  I found the option to turn off NAT entirely, but I need to NAT LAN2.  Do I need to do 1:1 NAT for the IPs in the /27?  I'd rather not NAT the path from WAN to LAN, since the user's firewall is already NATting their internet traffic.  (I don't have the option to eliminate that internal firewall and have the pfsense box do all the work).

    Thanks in advance for any advice you can give.


  • Manual outbound nat is what your looking for. there is possibility to check "Do Not NAT"

  • Yeah outbound NAT, don't need "do not NAT" in most all cases though, just NAT what needs to be NATed and everything else will be routed.

  • Thanks for the tips, that worked like a charm.

    For the record, I did need to select "do not NAT" on the "open" interface.  NAT appears to be the default.

    Thanks again!


  • NAT is not the default when advanced outbound NAT is enabled, anything that doesn't match an outbound NAT rule is routed. You just need to match only private subnets on outbound NAT, though excluding them by "do not NAT" is fine it's unnecessary in that instance, your source of outbound NAT rules shouldn't be "any".

  • I'm glad that i was able to help you

  • cmb: you are correct.  I deleted those rules (the ones I had selected "do not nat" for)
    and that works fine.  Since the rules get auto-created when you select "manual", I had
    the (wrong) impression they were necessary.  Makes more sense now.



Log in to reply