Manual Outbound NAT Does Not Work

mehmetyayla

Hi everyone,

I'm trying to outbound NAT ( from lan to wan port translate )

But does not work.

I want to alter the destionation port going from lan to wan.

When I try connect with telnet to 1251 port to hotmail smtp port
For example : windows cmd >> telnet mx1.hotmail.com 1251
hotmail should give me answer from smtp (25) port.

I define manual outbound nat but does not work.

rule is atached.

outbound.png_thumb

stephenw10

The source port will not be 1251 but some random high number unless you have specified it at the client. Leave it empty.

Steve

Edit: Also you should have WAN selected for the interface if this is outbound NAT.

Edit2: Hmm, actually you might have to use port forwarding on LAN for this.

mehmetyayla

steve thank you for reply.

port 1251 just example port number. Doesn't matter!

I'm trying every rule,

Wan to wan with destionation network and LAN to WAN Outbound rule etc…

I guess, I'm missing a small point.

I want to ask ; how these rules should be written?

How to translate from going LAN to outbound (wan) port 1251 to 25?

stephenw10

Well like I said in the edit the source port field in the translation section is actually for static port selection, the outbound source port not destination.
It looks like you would have to use port forwarding to do this but I'm not entirely sure how it would (or could) be done from LAN to WAN. :-\

Steve

stephenw10

Ok so that seems to work, just use port forwarding.
Here's a test rule I used. Now any machine in the LAN2 subnet can access pfsense.org on port 8888 and is redirected to port 80. See attached image.

Edit: I have a linked firewall rule on that port forward but there is not need for it. I simply neglected to uncheck the box! Unlike a port forward on WAN the default LAN rules allow the traffic out anyway.

Steve

![internal port forward.JPG](/public/imported_attachments/1/internal port forward.JPG)
![internal port forward.JPG_thumb](/public/imported_attachments/1/internal port forward.JPG_thumb)

mehmetyayla

Steve thank you. You're my hero too :)

First of all I'll doing Automatic outbound NAT rule generation, and than I'll use to port forwarding rule.

I'll try this method, and I'll give information for you.

mehmetyayla

Steve,

I removed all manual outbound rules, and than I marked automatic outbound rule generation.

Than I have created a new port forwarding rule.

Rules is atached.

Does it work like that?

pfrule.png_thumb

pfrule1.png_thumb

stephenw10

As I said before the source port from the clients will not be 1251 but some high random number. Change the source port to 'any'.
Otherwise that should work.

Steve

mehmetyayla

Steve,

Source port should not be "any". because my customer wants to get out with a port from lan . but we can give high random port. Which port should we use?

stephenw10

You are able to set the source port in the customers application?
Are you sure you've understood the difference between the source and destination ports? Neither of those are the translated nat port.
Look at my test rule. The source port is 'any' because my browser/OS chooses a port at random, I have no way of knowing what it will be.

Steve

mehmetyayla

Steve,
That's right.
We're using diffrent software our local network. For this reason, this software will be select . it should not random port.

stephenw10

Ok, well even if you can set the source port setting the rule to 'any' will still catch the traffic as long as the destination port is correct, 1251 in your example.

Have you tested it?

Steve

timthetortoise

mehmetyayia, assuming that what you're trying to achieve is outgoing port 1251 to be translated to outgoing port 25, Steve is correct - set your source port to any, and the destination port to 1251. The source port is 99% of the time an ephemeral port on the client accessing the service (in this case, your specialized machine). You can confirm this on the machine by running 'netstat -an | grep :1251' in *nix or 'netstat -an | find ":1251"' in Windows. If it's in the second IP address column, that is the destination port. If it's in the first, it is indeed the source port. My bet is it's in the destination.

mehmetyayla

thank you all,

I did your said appropriate. Final rule is atached.

I didn't tried yet. Because I'm away from our office.

I'll give your information.

pfrule.png_thumb

stephenw10

The source address must be 'LAN net' not 'LAN address'. Sorry I missed that before.

Steve

mehmetyayla

Steve,
There are only lan subnet and lan address in the source adress . I'm using LAN subnet.
is it?

stephenw10

Yes 'LAN subnet'. It's displayed as 'LAN net' in the rule table. Confusing. ;)

Steve

mehmetyayla

Steve,
really thank you for everything. I'll try today and than I'll back to you.

phil.davis

@stephenw10:

Yes 'LAN subnet'. It's displayed as 'LAN net' in the rule table. Confusing. ;)

There have been enough queries about this inconsistency, I bit the bullet and submitted a pull request to make it all say "LAN net", "WAN net" rather than using "subnet" in some places:
https://github.com/pfsense/pfsense/pull/902
Took only a few minutes to make the changes, we will all save more time than that in answering queries.