Packet flow through NAT and rules



  • I'm using pfSense to forward packets from my incoming static IP address to a server on a local IP address (192.168.0.200) and am confused about rule association with port forwarding.

    When there is an associated rule, does pfSense use that rule first or does it traverse the rules in succession?  In other words, if I have the following (simplified), what happens?

    SMTP packet arrives at WAN static IP
    Firewall Rule 1:  If port == SMTP and source IP is in pfBlockerTopSpammers alias then BLOCK  (this evaluates TRUE, the IP address is in the Top Spammers alias)
    Firewall Rule 2:  If port == SMTP and source IP is in pfBlockerAsia alias then BLOCK
    Firewall Rule 3:  If port == SMTP then PASS
    NAT Rule: If port == SMTP then FORWARD to 192.168.1.200 (LAN IP of SMTP server)

    Which route does the packet travel?

    1.  WAN –> Firewall Rule #1 --> packet dropped.
    2.  WAN --> NAT Rule --> Firewall Rule #3 (associated rule) --> 192.168.1.200 (SMTP server)
    3.  WAN --> NAT Rule --> Firewall Rule #1 --> Packet dropped

    I know that it's been requested before, but it would be great to have a packet flow diagram for pfSense.  It makes no sense to me why, in a firewall rule, I should specify the destination as a local server IP address, rather than the actual destination IP in the incoming packet -- one of my static IPs.  I want to BLOCK all packets that come in destined for my Static IP #1; the sender doesn't know my internal IP addressing, so why am I having to pretend that the packet was destined for 192.168.1.200?



  • The RDR translation happens before the rule processing, that's why you have to use the translated address in the destination field of the firewall rule.



  • @kpa:

    The RDR translation happens before the rule processing, that's why you have to use the translated address in the destination field of the firewall rule.

    Thank you! :)

    It seems kind of inefficient to spend CPU cycles redirecting packets that I will later block with rules, but I understand how it works now.

    Any insight into how it flows through the firewall rules; whether the associated rule is processed first, last, or in rule order?

    I've got mine set up with no associated firewall rules as I was not sure of the order of processing.