NAT source and destination ?



  • I am trying to setup a pFsense 2.0.1 box to replace a failed Nokia/Checkpoint firewall and I am having some issues with the NAT in pfSense which I need help with.

    On Checkpoint it is possible to NAT both the source and destination of a packet, I have been trying to set this up on the pfSense firewall but cannot get anything similar.

    What I want to achieve is similar to this;

    original packet:
    source : 10.1.1.30 > destination : 10.1.1.49

    translated (natted) packet:
    source : 192.168.1.13 > destination 192.168.1.91

    So this works as follows

    A client on the internal network with an ip 10.1.1.30 wants to connect to a FTP server 192.168.1.91, but as the destination server IP changes often we do not want to keep changing the clients ftp destination address so we use the internal IP 10.1.1.49 which is an alias (or proxy arp) on the LAN interface. The ftp server will only allow access from the 192.168.1.x range so we need to make sure the source address is natted to an IP on the 192.168.1.x range (not the WAN interface IP!). So this means we first have to nat the destination 10.1.1.49 > 192.168.1.91 but also then the source 10.1.1.30 > 192.168.1.13.

    So the nat rule looks like

    original                                                                          translated
    source              destination          service                        source                      destination          service
    10.1.1.30          10.1.1.49            ftp                            192.168.1.13              192.168.1.91        ftp

    pfSense LAN is 10.1.1.27, WAN is 192.168.1.1

    I cannot see any way of doing this, please can anyone more experienced in pfSense NAT help.

    Thanks for looking.



  • Ok just a bit of an update for all of you who have viewed this thread, I have still not managed to do this on the pfSense but I was able to do this on a Cisco ASA firewall using Twice-NAT and by the following command;

    nat (any,any) after-auto source static 10.1.1.30 192.168.1.13
    destination static 10.1.1.49 192.168.1.91 unidirectional

    Does anyone here know how to achieve this on the pfSense ?

    Thanks again for looking.



  • For egress traffic, you can change the source IP with outbound NAT, and the destination IP with port forwards.



  • Yes I understand but how do I combine both outbound NAT and port forward for the same packet ?

    Do I first create an outbound nat rule to convert src:10.1.1.30 dst:10.1.1.49 to src:192.168.1.13 dst:10.1.1.49
    and then add a port forward for 10.1.1.49 to 192.168.1.91 ?

    What would the way of doing this and what interface would the NAT/PF rules be on INT, EXT ?

    And how would the incoming packet be natted, would it be the same in reverse or would I need to configure new nat rules for this ?

    Sorry if this is basic stuff but I am completely new to pfSense way of doing nat (and to be truthful the documentation does not help much).

    Thanks


Log in to reply