4. How to NAT traffic into a LAN to the LAN interface IP?

How to NAT traffic into a LAN to the LAN interface IP?

  • B

    Hi,

    I have a WAN interface and two LAN interfaces (LAN and OPT1).  At present traffic from OPT1 goes out to the Internet (WAN) and is NAT'd using the automatic NAT rules.  I understand that these apply for traffic going from LAN type interfaces to WAN type interfaces, where WAN type interfaces are defined as those that have a gateway defined and LAN type interfaces as those that don't have a gateway defined.  This works and is as required for traffic from OPT1 to get to the internet.

    I also want traffic from the LAN interface that routes to the OPT1 interface to be NAT'd to the interface IP on OPT1.  Since this is a LAN type to LAN type the automatic NAT rules don't apply so I enabled Manual outbound NAT, and defined a rule on the OPT1 interface for traffic with a source on the LAN interface to any destination using the NAT address of the OPT1 address.  But this does not work, a packet capture shows an ICMP packet routed out the OPT1 interface from the LAN network without the source IP being changed.

    I wondered if I needed to define the NAT rule on the LAN interface (since the tab is called 'outbound' and the relevant traffic is 'inbound' on the OPT1 interface.  But whilst I can specify the source and destination I cannot select OPT1 interface (only LAN interface or a new range) as the NAT pool.

    I didn't have much luck with Googling similar situations, although I did not the recent thread by comeback1106 https://forum.pfsense.org/index.php?topic=86629.0 which asks something similar and implies this can be done.

    Regards
    Martin

    0
  • LAYER 8 Netgate

    Sounds like you've done everything right.  It works here.  (From the diagram in my sig) I set the attached manual outbound NAT rule and sshed from Host A1 to Host A2.  The source IP from Host A2's perspective is 192.168.1.1.

    ![Screen Shot 2015-01-13 at 1.47.56 AM.png](/public/imported_attachments/1/Screen Shot 2015-01-13 at 1.47.56 AM.png)
    ![Screen Shot 2015-01-13 at 1.47.56 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-01-13 at 1.47.56 AM.png_thumb)
    ![Screen Shot 2015-01-13 at 1.50.52 AM.png](/public/imported_attachments/1/Screen Shot 2015-01-13 at 1.50.52 AM.png)
    ![Screen Shot 2015-01-13 at 1.50.52 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-01-13 at 1.50.52 AM.png_thumb)

    0
  • B

    Thanks Derelict.

    I especially liked your lab set-up, inspired me to spin up some pfsense virtuals and do some testing myself.  I was able to get this working in this lab setup, but on the actual live router it still does not work.  I'm at a loss but I have found a work around and can live without it so I'm going to have to draw the line under it and move on.

    I am certainly more educated now, for which I am grateful.

    Regards
    Martin

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy