NAT source and destination ?

  • I am trying to setup a pFsense 2.0.1 box to replace a failed Nokia/Checkpoint firewall and I am having some issues with the NAT in pfSense which I need help with.

    On Checkpoint it is possible to NAT both the source and destination of a packet, I have been trying to set this up on the pfSense firewall but cannot get anything similar.

    What I want to achieve is similar to this;

    original packet:
    source : > destination :

    translated (natted) packet:
    source : > destination

    So this works as follows

    A client on the internal network with an ip wants to connect to a FTP server, but as the destination server IP changes often we do not want to keep changing the clients ftp destination address so we use the internal IP which is an alias (or proxy arp) on the LAN interface. The ftp server will only allow access from the 192.168.1.x range so we need to make sure the source address is natted to an IP on the 192.168.1.x range (not the WAN interface IP!). So this means we first have to nat the destination > but also then the source >

    So the nat rule looks like

    original                                                                          translated
    source              destination          service                        source                      destination          service            ftp                              ftp

    pfSense LAN is, WAN is

    I cannot see any way of doing this, please can anyone more experienced in pfSense NAT help.

    Thanks for looking.

  • Ok just a bit of an update for all of you who have viewed this thread, I have still not managed to do this on the pfSense but I was able to do this on a Cisco ASA firewall using Twice-NAT and by the following command;

    nat (any,any) after-auto source static
    destination static unidirectional

    Does anyone here know how to achieve this on the pfSense ?

    Thanks again for looking.

  • For egress traffic, you can change the source IP with outbound NAT, and the destination IP with port forwards.

  • Yes I understand but how do I combine both outbound NAT and port forward for the same packet ?

    Do I first create an outbound nat rule to convert src: dst: to src: dst:
    and then add a port forward for to ?

    What would the way of doing this and what interface would the NAT/PF rules be on INT, EXT ?

    And how would the incoming packet be natted, would it be the same in reverse or would I need to configure new nat rules for this ?

    Sorry if this is basic stuff but I am completely new to pfSense way of doing nat (and to be truthful the documentation does not help much).


Log in to reply