Manual Outbound NAT Does Not Work



  • Hi everyone,

    I'm trying to outbound NAT ( from lan to wan port translate )

    But does not work.

    I want to alter the destionation port going from lan to wan.

    When I try connect with telnet to 1251 port to hotmail smtp port
    For example : windows cmd >> telnet mx1.hotmail.com 1251
    hotmail should give me answer from smtp (25) port.

    I define manual outbound nat but does not work.

    rule is atached.



  • Netgate Administrator

    The source port will not be 1251 but some random high number unless you have specified it at the client. Leave it empty.

    Steve

    Edit: Also you should have WAN selected for the interface if this is outbound NAT.

    Edit2: Hmm, actually you might have to use port forwarding on LAN for this.



  • steve thank you for reply.

    port 1251 just example port number. Doesn't matter!

    I'm trying every rule,

    Wan to wan with destionation network and LAN to WAN Outbound rule etc…

    I guess, I'm missing a small point.

    I want to ask ; how these rules should be written?

    How to translate from going LAN to outbound (wan) port 1251 to 25?


  • Netgate Administrator

    Well like I said in the edit the source port field in the translation section is actually for static port selection, the outbound source port not destination.
    It looks like you would have to use port forwarding to do this but I'm not entirely sure how it would (or could) be done from LAN to WAN.  :-\

    Steve


  • Netgate Administrator

    Ok so that seems to work, just use port forwarding.
    Here's a test rule I used. Now any machine in the LAN2 subnet can access pfsense.org on port 8888 and is redirected to port 80. See attached image.

    Edit: I have a linked firewall rule on that port forward but there is not need for it. I simply neglected to uncheck the box! Unlike a port forward on WAN the default LAN rules allow the traffic out anyway.

    Steve

    ![internal port forward.JPG](/public/imported_attachments/1/internal port forward.JPG)
    ![internal port forward.JPG_thumb](/public/imported_attachments/1/internal port forward.JPG_thumb)



  • Steve thank you. You're my hero too :)

    First of all I'll doing Automatic outbound NAT rule generation, and than I'll use to port forwarding rule.

    I'll try this method, and I'll give information for you.



  • Steve,

    I removed all manual outbound rules, and than I marked automatic outbound rule generation.

    Than I have created a new port forwarding rule.

    Rules is atached.

    Does it work like that?





  • Netgate Administrator

    As I said before the source port from the clients will not be 1251 but some high random number. Change the source port to 'any'.
    Otherwise that should work.

    Steve



  • Steve,

    Source port should not be "any". because my customer wants to get out with a port from lan . but we can give high random port. Which port should we use?


  • Netgate Administrator

    You are able to set the source port in the customers application?
    Are you sure you've understood the difference between the source and destination ports? Neither of those are the translated nat port.
    Look at my test rule. The source port is 'any' because my browser/OS chooses a port at random, I have no way of knowing what it will be.

    Steve



  • Steve,
    That's right.
    We're using diffrent software our local network. For this reason, this software will be select . it should not random port.


  • Netgate Administrator

    Ok, well even if you can set the source port setting the rule to 'any' will still catch the traffic as long as the destination port is correct, 1251 in your example.

    Have you tested it?

    Steve



  • mehmetyayia, assuming that what you're trying to achieve is outgoing port 1251 to be translated to outgoing port 25, Steve is correct - set your source port to any, and the destination port to 1251. The source port is 99% of the time an ephemeral port on the client accessing the service (in this case, your specialized machine). You can confirm this on the machine by running 'netstat -an | grep :1251' in *nix or 'netstat -an |  find ":1251"' in Windows. If it's in the second IP address column, that is the destination port. If it's in the first, it is indeed the source port. My bet is it's in the destination.



  • thank you all,

    I did your said appropriate. Final rule is atached.

    I didn't tried yet. Because I'm away from our office.

    I'll give your information.



  • Netgate Administrator

    The source address must be 'LAN net' not 'LAN address'. Sorry I missed that before.

    Steve



  • Steve,
    There are only lan subnet and lan address in the source adress . I'm using LAN subnet.
    is it?


  • Netgate Administrator

    Yes 'LAN subnet'. It's displayed as 'LAN net' in the rule table. Confusing.  ;)

    Steve



  • Steve,
    really thank you for everything. I'll try today and than I'll back to you.



  • @stephenw10:

    Yes 'LAN subnet'. It's displayed as 'LAN net' in the rule table. Confusing.  ;)

    There have been enough queries about this inconsistency, I bit the bullet and submitted a pull request to make it all say "LAN net", "WAN net" rather than using "subnet" in some places:
    https://github.com/pfsense/pfsense/pull/902
    Took only a few minutes to make the changes, we will all save more time than that in answering queries.