Inbound NAT doesnt have source NATing



  • Hi,

    I'm trying to NAT an inbound port from an interface directly connected to the internet and forward it to an internal IP. I have read the 2.0 NAT howto and troubleshooting but they don't help.

    I have an unusual setup in that my LAN has 2 gateways on it (I'm still testing pfsense) so my default gateway is 10.250.1.150 and my pfsense gateway is 10.250.8.89 (I'm on 10.250.1.223). using tcpdump on the pfsense box and wireshark on my machine, I can see the traffic come into pfsense on the WAN. I can see it go back out the LAN to my machine and my machine receives it and sends a response. Problem is that pfsense doesn't see it and the outside client eventually times out.

    What is happening is the source address always contains the external IP of the client, so the return path is not through pfsense, but through my main provider.

    I currently use iptables and firewall builder and these allow me to alter both the source and destination addresses, so in the above scenario, when pfsense sends the packet out on the LAN, it would have changed the destination to 10.250.1.223 and the source to 10.250.8.89 and it would have found its way back to pfsense.

    Is this possible with pfsense ? I tried all I could find in the nat page and in the advanced settings.

    Regards,
    Andrew

    I have since confirmed the above by adding a static route to my workstation for the external address to use the pfsense box as the gateway. It all works when this is done.

    I'm would still like to know if the source IP can be modified to the pfsense box so hacking the route wont be needed.



  • Yes this is possible.
    Go to "firewall –> NAT --> outbound".
    Enable manual outbound rule generation.
    Create a new rule with:
    Interface: LAN, Source: any, Source-port: any, Destination: your_server, Destination-port: service_on_server_or_any, translation: interface address.



  • GruensFroeschli,

    Thanks a lot. That worked perfectly !

    I've been trying for hours to get that working.

    Regards,
    Andrew


Log in to reply