Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Localhost Rewrite

    Scheduled Pinned Locked Moved Firewalling
    9 Posts 2 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      packetmonkey
      last edited by

      Hello,

      Hope this is the right place to ask…

      I am looking to replace a commercial firewall with a pfsense box but there is one feature that the commercial firewall has that I'm unsure how to do in pfsense (or if it can do it!)

      For a situation where the firewall has two network cards (an internal LAN and a WAN connection).

      WAN: 10.1.1.1
      LAN: 192.168.1.1

      Assuming on the LAN there is a webserver with IP address 192.168.1.2.

      On the commercial firewall I create a rule that maps http from the external IP (10.1.1.1) onto the webserver on 192.168.1.2.

      So far so good, and more than possible with pfsense.

      Lets assume that an external user (IP 5.5.5.5) attempts to connect to 10.1.1.1 port 80 they receive the website on the webserver.

      The webserver sees the logs as coming from 5.5.5.5 and all is well.

      However on the commercial firewall there is an option during the rule creation that allows the external mapping connection to come from the firewall LAN address (192.168.1.1) so the weblogs show the page being view by 5.5.5.5 as actually coming from 192.168.1.1. This is called localhost NAT’ting  or some such option on the commercial firewall. I believe this is because it uses advanced network proxies and looks a bit deeper into the packets (even if it is just passing them).

      The advantage of this in complex networks is that the LAN webserver can have a different default gateway than that of 192.168.1.1 and it still works externally.

      Is this possible in pfsense and how would I go about recreating it?
      Many thanks for your patience in reading this far.

      :-)

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        That's just doing source NAT. Manual outbound NAT lets you configure it that way.

        1 Reply Last reply Reply Quote 0
        • P
          packetmonkey
          last edited by

          Hi,

          Thanks for help.

          I think this is a bit more than doing source NAT as this is not outbound traffic (it's traffic from outside that needs to have it's source address rewritten and the firewall aware enough to track the connections)

          I think the commercial firewall is an application firewall (with proxies for connections) if this helps.

          Many thanks for assistance.

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            It's just source NAT, you can source NAT into your LAN or any other network. If you actually have a need for a reverse proxy, there are several options in packages, but it sounds like source NAT would suffice.

            1 Reply Last reply Reply Quote 0
            • P
              packetmonkey
              last edited by

              Hi thanks for assistance I really appreciate it.

              Can you advise what you mean by "just a source NAT"?

              I have a rule under "Firewall: NAT: Port Forward" but can't see any options that would help.

              Is this the wrong place for the rule and if so can you shed some light on the right place to configure?

              Many thanks,

              1 Reply Last reply Reply Quote 0
              • C
                cmb
                last edited by

                Source NAT is outbound NAT.

                1 Reply Last reply Reply Quote 0
                • P
                  packetmonkey
                  last edited by

                  Ah right so you are saying remove the rule from "Firewall: NAT: Port Forward" and add it under "Firewall: NAT: Outbound" instead.

                  Even though that's outbound it is what I need for this inbound requirement?

                  Thanks

                  1 Reply Last reply Reply Quote 0
                  • C
                    cmb
                    last edited by

                    You need both. port forwards translate the destination IP and/or port, outbound NAT translates the source IP.

                    1 Reply Last reply Reply Quote 0
                    • P
                      packetmonkey
                      last edited by

                      Hi,

                      Many thanks for all your assistance (and patience).

                      I now understand that I need both rules (port forward and also the outbound mapping).

                      I had a look on the options for the outbound rules and I am, in all honesty, a bit lost in what should be put in this to apply the simple rule as per the example above.

                      Trying not to be high maintanence, but genuinely lost on what config is required to do this with pfsense…

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.