Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Manual Outbound NAT rule generation DMZ to LAN not working

    NAT
    3
    7
    1734
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      VirtualizingStuff last edited by

      Hello I have a server in the dmz that I need to talk on a certain port (4001) to the server on my lan. When I set the Manual Outbound NAT rule generation for my DMZ interface it does not want to work. The source ports are still being randomized am I missing something? I have tried changing the NAT rule for DMZ to use different interface  (WAN, DMZ, LAN) with no luck. I have attached a screen shot. Thanks

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis last edited by

        When you say "talk on a certain port" do you mean that:
        a) The server in LAN is listening on port 4001, so you have to connect from a DMZ system to server LAN IP port 4001, or;
        b) The server wants the connections to come from port 4001.

        If (a) then you should be able to just connect without any NAT. Just make a firewall ruleson DMZ to pas traffic to the LAN server IP.

        If (b) then you could use an outbound NAT rule on LAN. Map traffic from DMZ subnet to LAN address port 4001. Then the traffic on the way from DMZ and out of LAN will have the source IP and port rewritten to LAN address and port 4001.

        Outbound NAT rules go on the interface where the traffic is leaving, in this case the traffic leaves the LAN interface to get to the server on LAN,

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • V
          VirtualizingStuff last edited by

          Hey Phil,
          Thanks for getting back to me communication between the DMZ server (192.168.100.10) and LAN server (192.168.30.14) need to communicate both ways on port 4001.
          I created a two Outbound NAT rules:
          1. DMZ interface Source IP: 192.168.100.10/31 Source Port: 4001 Destination: 192.168.30.14  Destination Port: 4001 Static Port checked
          2. LAN Interface Source IP: 192.168.30.14/31  Source Port: 4001 Destination: 192.168.100.10 Destination Port: 4001 Static Port checked

          I have attached screenshots of the Outbound NAT rule, Firewall Rule, and the Log showing the randomization on the source port after setting these settings

          Thanks for helping NAT/Routing is something I am striving to work on.  8)

          ![NAT Mapping.png](/public/imported_attachments/1/NAT Mapping.png)
          ![NAT Mapping.png_thumb](/public/imported_attachments/1/NAT Mapping.png_thumb)
          ![Firewall Rule.png](/public/imported_attachments/1/Firewall Rule.png)
          ![Firewall Rule.png_thumb](/public/imported_attachments/1/Firewall Rule.png_thumb)
          ![ Log.png](/public/imported_attachments/1/ Log.png)
          ![ Log.png_thumb](/public/imported_attachments/1/ Log.png_thumb)

          1 Reply Last reply Reply Quote 0
          • V
            VirtualizingStuff last edited by

            Ahhh the random port is coming from the windows server not pfsense. Used netstat to determine this. I guess I will just use the ANY for source and that should work.

            1 Reply Last reply Reply Quote 0
            • P
              phil.davis last edited by

              You need to sort out source and destination.
              On firewall rules it is matching and filtering incoming traffic, e.g. on DMZ tab source must be IPs in DMZ, destination is IPs in other places, like LAN.
              On Outbound NAT it is done when exiting the interface. So on LAN, the source will be addresses in DMZ and destination going out to addresses in LAN.
              If you think carefully where the traffic is flowing that originates the connection, then you will get the source and destination correct.

              As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
              If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

              1 Reply Last reply Reply Quote 0
              • V
                VirtualizingStuff last edited by

                Phil thanks so much for your help. I was able to successfully get the servers communicating!!!  ;D

                1 Reply Last reply Reply Quote 0
                • johnpoz
                  johnpoz LAYER 8 Global Moderator last edited by

                  And the source port has to be 4001??  What software is this – you normally do not require a specific source port..  I show 4001 is registered to newoak

                  http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt

                  Also seems odd that you would really need to NAT between local segments both using rfc1918 address space.  So what is your final solution?  Did you really need source port of 4001 and Natting?

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 23.01 | Lab VMs CE 2.6, 2.7

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post