Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Outbound NAT

    Scheduled Pinned Locked Moved NAT
    5 Posts 3 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bluerains
      last edited by

      So this maybe an easy issue, but I can not get my pfsense 2.1.5 work.  I a simply trying to NAT a public IP to a private (WAN to LAN) on certain port:

      1. I have my WAN interface IP on 99.99.99.1
      2. I have multiple public IP from ISP 99.99.99.1/26
      3. I made a virtual IP (type IP alias) of 99.99.99.10/26 (it say you have to use /26 instead of /32, I guess?)
      4. I setup inbound Port forward to map 99.99.99.10 to internal IP of 192.168.2.10
      5. I setup outbound NAT where I said anything coming from 192.168.2.10:5060 NAT to 99.99.99.10:5060
            a. Inteface: WAN
            b. Source (type network): 192.168.2.10
            c. Source Port:5060
            d. Destination: *
            e. Destination Port: *
            f. NAT address: 99.99.99.10 (I pick the VIP from the drop down box)
            g. NAT Port: 5060
            e. Static Port: NO

      Now I go to the packet capture and see when the source IP when I sent a SIP message out from 192.168.2.10, it shows 99.99.99.1 which is the WAN interface IP, shouldn't it be 99.99.99.10, the VIP?

      The ONLY WAY I can get it to work is to do 1:1 NAT, then everything come out of 192.168.2.10 will be 99.99.99.10  But I don't want that, I only want map 5060 because I need to map other port from this IP (e.g. 10000 to 20000) to another internal IP.

      Any thought why outbound NAT will not work but 1:1 NAT works?

      Thank you!

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        Either it doesn't have source port 5060, or your ordering of outbound NAT rules is wrong (first match wins).

        1 Reply Last reply Reply Quote 0
        • B
          bluerains
          last edited by

          there is no issue with order because this is a brand new install, other then the 2 default rule in outbound NAT (which is on top and you can not move it), these are the only NAT rule I have.  I checked the packet capture, it is coming in from 192.168.2.10 on port 5060 into the firewall.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            @bluerains:

            there is no issue with order because this is a brand new install, other then the 2 default rule in outbound NAT (which is on top and you can not move it), these are the only NAT rule I have.  I checked the packet capture, it is coming in from 192.168.2.10 on port 5060 into the firewall.

            Doesn't matter how new the install is.  When you enable manual outbound NAT the outbound NAT ruleset is populated with all of the automatic rules.  One of those is ALL traffic from LAN inside address translated to WAN address.

            If your UDP/5060 rule is after that, it will never be processed.

            Move it to the top.  Select the checkbox on your 5060 rule, then click the move selected rules above this rule button on the top rule.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • B
              bluerains
              last edited by

              Ah, thank you!  sorry to CMB, I sware I saw the "thing" grey out and can not move.  but I moved it now, I'll go test, probably should work now.

              Thanks again for the help!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.