Full NAT scenario

  • Hi,
    We have a IPSec VPN tunnel from Asia to Europe. The endpoint of the tunnel is our firewall (which is a secondary IP). Earlier we had a webserver here but now it is hosted externally, so we have redirected the internal traffic to the external hoster using following Full-NAT rule:

    Full NAT [Translate internal requests from Asia to External Hoster]
    Traffic selector: 192.168.10.* (Asian user) → HTTP → (Virtual 2nd IP)
    Source translation: (external IP) HTTP
    Destination translation: (Hoster) HTTP

    Opposite direction is also possible, so the external hosted application is able to call an internal Web server using following Full-NAT rule:

    Full NAT [Translate requests from External Hoster to internal WebSvr]
    Traffic selector: (Hoster) → 8089 → (external IP)
    Source translation: (Firewall primary IP) HTTP
    Destination translation: (Web Server) HTTP

    Has pfSense the capabilities to setup this kind of rules?

    Tks and brgds, janosh

  • Unless you are after something more convoluted or have any special reason to push the traffic from Asia through the tunnel, why not to access the server (that is now in a public IP addressing space) directly from the user workstation?

    I mean, your web server is now a standard public webserver as they are the ones of google to say. And that is what you are trying to do with your nat translations. Instead of connecting to they may connect to the public address of the server.

    Anyway if there are any special considerations so that you need to pass the traffic for that server through the tunnel you can have a look at this document that depicts a similar scenario that you are showing.


    Hope this help.


  • Tks for your reply so far.
    The connection speed and stability through public internet is quite bad from Asia to Europe, while it is far better using the internal way through our MPLS (leased line).

    Your answer convers the part with the virtual address, which seems to be fine with pfSense.
    In the linked tutorial under "NAT IP" the description says one can only enter an INTERNAL ip as the destination IP, but in our case the destination IP should be the EXTERNAL ip of our hoster. Do I understand it right that way?


Log in to reply