Manual Outbound NAT rule generation DMZ to LAN not working



  • Hello I have a server in the dmz that I need to talk on a certain port (4001) to the server on my lan. When I set the Manual Outbound NAT rule generation for my DMZ interface it does not want to work. The source ports are still being randomized am I missing something? I have tried changing the NAT rule for DMZ to use different interface  (WAN, DMZ, LAN) with no luck. I have attached a screen shot. Thanks



  • When you say "talk on a certain port" do you mean that:
    a) The server in LAN is listening on port 4001, so you have to connect from a DMZ system to server LAN IP port 4001, or;
    b) The server wants the connections to come from port 4001.

    If (a) then you should be able to just connect without any NAT. Just make a firewall ruleson DMZ to pas traffic to the LAN server IP.

    If (b) then you could use an outbound NAT rule on LAN. Map traffic from DMZ subnet to LAN address port 4001. Then the traffic on the way from DMZ and out of LAN will have the source IP and port rewritten to LAN address and port 4001.

    Outbound NAT rules go on the interface where the traffic is leaving, in this case the traffic leaves the LAN interface to get to the server on LAN,



  • Hey Phil,
    Thanks for getting back to me communication between the DMZ server (192.168.100.10) and LAN server (192.168.30.14) need to communicate both ways on port 4001.
    I created a two Outbound NAT rules:
    1. DMZ interface Source IP: 192.168.100.10/31 Source Port: 4001 Destination: 192.168.30.14  Destination Port: 4001 Static Port checked
    2. LAN Interface Source IP: 192.168.30.14/31  Source Port: 4001 Destination: 192.168.100.10 Destination Port: 4001 Static Port checked

    I have attached screenshots of the Outbound NAT rule, Firewall Rule, and the Log showing the randomization on the source port after setting these settings

    Thanks for helping NAT/Routing is something I am striving to work on.  8)

    ![NAT Mapping.png](/public/imported_attachments/1/NAT Mapping.png)
    ![NAT Mapping.png_thumb](/public/imported_attachments/1/NAT Mapping.png_thumb)
    ![Firewall Rule.png](/public/imported_attachments/1/Firewall Rule.png)
    ![Firewall Rule.png_thumb](/public/imported_attachments/1/Firewall Rule.png_thumb)
    ![ Log.png](/public/imported_attachments/1/ Log.png)
    ![ Log.png_thumb](/public/imported_attachments/1/ Log.png_thumb)



  • Ahhh the random port is coming from the windows server not pfsense. Used netstat to determine this. I guess I will just use the ANY for source and that should work.



  • You need to sort out source and destination.
    On firewall rules it is matching and filtering incoming traffic, e.g. on DMZ tab source must be IPs in DMZ, destination is IPs in other places, like LAN.
    On Outbound NAT it is done when exiting the interface. So on LAN, the source will be addresses in DMZ and destination going out to addresses in LAN.
    If you think carefully where the traffic is flowing that originates the connection, then you will get the source and destination correct.



  • Phil thanks so much for your help. I was able to successfully get the servers communicating!!!  ;D


  • LAYER 8 Global Moderator

    And the source port has to be 4001??  What software is this – you normally do not require a specific source port..  I show 4001 is registered to newoak

    http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt

    Also seems odd that you would really need to NAT between local segments both using rfc1918 address space.  So what is your final solution?  Did you really need source port of 4001 and Natting?


Log in to reply