Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Inbound NAT doesnt have source NATing

    Scheduled Pinned Locked Moved NAT
    3 Posts 2 Posters 7.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kestral
      last edited by

      Hi,

      I'm trying to NAT an inbound port from an interface directly connected to the internet and forward it to an internal IP. I have read the 2.0 NAT howto and troubleshooting but they don't help.

      I have an unusual setup in that my LAN has 2 gateways on it (I'm still testing pfsense) so my default gateway is 10.250.1.150 and my pfsense gateway is 10.250.8.89 (I'm on 10.250.1.223). using tcpdump on the pfsense box and wireshark on my machine, I can see the traffic come into pfsense on the WAN. I can see it go back out the LAN to my machine and my machine receives it and sends a response. Problem is that pfsense doesn't see it and the outside client eventually times out.

      What is happening is the source address always contains the external IP of the client, so the return path is not through pfsense, but through my main provider.

      I currently use iptables and firewall builder and these allow me to alter both the source and destination addresses, so in the above scenario, when pfsense sends the packet out on the LAN, it would have changed the destination to 10.250.1.223 and the source to 10.250.8.89 and it would have found its way back to pfsense.

      Is this possible with pfsense ? I tried all I could find in the nat page and in the advanced settings.

      Regards,
      Andrew

      I have since confirmed the above by adding a static route to my workstation for the external address to use the pfsense box as the gateway. It all works when this is done.

      I'm would still like to know if the source IP can be modified to the pfsense box so hacking the route wont be needed.

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        Yes this is possible.
        Go to "firewall –> NAT --> outbound".
        Enable manual outbound rule generation.
        Create a new rule with:
        Interface: LAN, Source: any, Source-port: any, Destination: your_server, Destination-port: service_on_server_or_any, translation: interface address.

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • K
          kestral
          last edited by

          GruensFroeschli,

          Thanks a lot. That worked perfectly !

          I've been trying for hours to get that working.

          Regards,
          Andrew

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.