Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Outbound NAT

    NAT
    3
    5
    1544
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bluerains last edited by

      So this maybe an easy issue, but I can not get my pfsense 2.1.5 work.  I a simply trying to NAT a public IP to a private (WAN to LAN) on certain port:

      1. I have my WAN interface IP on 99.99.99.1
      2. I have multiple public IP from ISP 99.99.99.1/26
      3. I made a virtual IP (type IP alias) of 99.99.99.10/26 (it say you have to use /26 instead of /32, I guess?)
      4. I setup inbound Port forward to map 99.99.99.10 to internal IP of 192.168.2.10
      5. I setup outbound NAT where I said anything coming from 192.168.2.10:5060 NAT to 99.99.99.10:5060
            a. Inteface: WAN
            b. Source (type network): 192.168.2.10
            c. Source Port:5060
            d. Destination: *
            e. Destination Port: *
            f. NAT address: 99.99.99.10 (I pick the VIP from the drop down box)
            g. NAT Port: 5060
            e. Static Port: NO

      Now I go to the packet capture and see when the source IP when I sent a SIP message out from 192.168.2.10, it shows 99.99.99.1 which is the WAN interface IP, shouldn't it be 99.99.99.10, the VIP?

      The ONLY WAY I can get it to work is to do 1:1 NAT, then everything come out of 192.168.2.10 will be 99.99.99.10  But I don't want that, I only want map 5060 because I need to map other port from this IP (e.g. 10000 to 20000) to another internal IP.

      Any thought why outbound NAT will not work but 1:1 NAT works?

      Thank you!

      1 Reply Last reply Reply Quote 0
      • C
        cmb last edited by

        Either it doesn't have source port 5060, or your ordering of outbound NAT rules is wrong (first match wins).

        1 Reply Last reply Reply Quote 0
        • B
          bluerains last edited by

          there is no issue with order because this is a brand new install, other then the 2 default rule in outbound NAT (which is on top and you can not move it), these are the only NAT rule I have.  I checked the packet capture, it is coming in from 192.168.2.10 on port 5060 into the firewall.

          1 Reply Last reply Reply Quote 0
          • Derelict
            Derelict LAYER 8 Netgate last edited by

            @bluerains:

            there is no issue with order because this is a brand new install, other then the 2 default rule in outbound NAT (which is on top and you can not move it), these are the only NAT rule I have.  I checked the packet capture, it is coming in from 192.168.2.10 on port 5060 into the firewall.

            Doesn't matter how new the install is.  When you enable manual outbound NAT the outbound NAT ruleset is populated with all of the automatic rules.  One of those is ALL traffic from LAN inside address translated to WAN address.

            If your UDP/5060 rule is after that, it will never be processed.

            Move it to the top.  Select the checkbox on your 5060 rule, then click the move selected rules above this rule button on the top rule.

            Chattanooga, Tennessee, USA
            The pfSense Book is free of charge!
            DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • B
              bluerains last edited by

              Ah, thank you!  sorry to CMB, I sware I saw the "thing" grey out and can not move.  but I moved it now, I'll go test, probably should work now.

              Thanks again for the help!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post