Easy way to show NAT translation table?



  • Hi all,

    Setting up a outbound NAT rule for only two of the networks behind my firewall (I have many, but these two have private RFC1918 netblocks, and I want to NAT them outbound to a single public IP addr, that is not the outside int's address.) I would like to verify that the NAT is happening correctly; is there a simple way (either thru the GUI or the CLI) to show the current NAT translation table? Something like the Cisco "show ip nat translations" which produces the following sort of output:

    
    R1# show ip nat translations
    Pro Inside global           Inside local            Outside local         Outside global
    
    udp 200.2.2.1:53427  192.168.0.6:53427      74.200.84.4:53        74.200.84.4:53
    udp 200.2.2.1:53427  192.168.0.6:53427      195.170.0.1:53        195.170.0.1:53
    tcp 200.2.2.1:53638   192.168.0.6:53638      64.233.189.99:80    64.233.189.99:80
    tcp 200.2.2.1:57585   192.168.0.7:57585      69.65.106.48:110    69.65.106.48:110
    tcp 200.2.2.1:57586   192.168.0.7:57586      69.65.106.48:110    69.65.106.48:110
    
    

    Thanks!



  • Anyone? Surely there must be a way….


  • Rebel Alliance Developer Netgate

    Diagnostics > States



  • Try pfctl -s nat.



  • @podilarius:

    Try pfctl -s nat.

    O and you can add v's to get more info. Like

    pfctl -vvs nat


  • Rebel Alliance Developer Netgate

    Those show the nat rules, not the nat translations. The state table would be the only source of seeing the NAT translations.

    At the CLI, to dump the states, use:

    pfctl -ss
    

    To restrict that to just NAT, try:

    pfctl -ss | egrep '(>.*>|<.*<)'
    


  • Sorry. Misinterpreted what was being asked for.


Locked