How to NAT traffic into a LAN to the LAN interface IP?
-
Hi,
I have a WAN interface and two LAN interfaces (LAN and OPT1). At present traffic from OPT1 goes out to the Internet (WAN) and is NAT'd using the automatic NAT rules. I understand that these apply for traffic going from LAN type interfaces to WAN type interfaces, where WAN type interfaces are defined as those that have a gateway defined and LAN type interfaces as those that don't have a gateway defined. This works and is as required for traffic from OPT1 to get to the internet.
I also want traffic from the LAN interface that routes to the OPT1 interface to be NAT'd to the interface IP on OPT1. Since this is a LAN type to LAN type the automatic NAT rules don't apply so I enabled Manual outbound NAT, and defined a rule on the OPT1 interface for traffic with a source on the LAN interface to any destination using the NAT address of the OPT1 address. But this does not work, a packet capture shows an ICMP packet routed out the OPT1 interface from the LAN network without the source IP being changed.
I wondered if I needed to define the NAT rule on the LAN interface (since the tab is called 'outbound' and the relevant traffic is 'inbound' on the OPT1 interface. But whilst I can specify the source and destination I cannot select OPT1 interface (only LAN interface or a new range) as the NAT pool.
I didn't have much luck with Googling similar situations, although I did not the recent thread by comeback1106 https://forum.pfsense.org/index.php?topic=86629.0 which asks something similar and implies this can be done.
Regards
Martin -
Sounds like you've done everything right. It works here. (From the diagram in my sig) I set the attached manual outbound NAT rule and sshed from Host A1 to Host A2. The source IP from Host A2's perspective is 192.168.1.1.
 -
Thanks Derelict.
I especially liked your lab set-up, inspired me to spin up some pfsense virtuals and do some testing myself. I was able to get this working in this lab setup, but on the actual live router it still does not work. I'm at a loss but I have found a work around and can live without it so I'm going to have to draw the line under it and move on.
I am certainly more educated now, for which I am grateful.
Regards
Martin
