Outbound NAT
-
So this maybe an easy issue, but I can not get my pfsense 2.1.5 work. I a simply trying to NAT a public IP to a private (WAN to LAN) on certain port:
1. I have my WAN interface IP on 99.99.99.1
2. I have multiple public IP from ISP 99.99.99.1/26
3. I made a virtual IP (type IP alias) of 99.99.99.10/26 (it say you have to use /26 instead of /32, I guess?)
4. I setup inbound Port forward to map 99.99.99.10 to internal IP of 192.168.2.10
5. I setup outbound NAT where I said anything coming from 192.168.2.10:5060 NAT to 99.99.99.10:5060
a. Inteface: WAN
b. Source (type network): 192.168.2.10
c. Source Port:5060
d. Destination: *
e. Destination Port: *
f. NAT address: 99.99.99.10 (I pick the VIP from the drop down box)
g. NAT Port: 5060
e. Static Port: NONow I go to the packet capture and see when the source IP when I sent a SIP message out from 192.168.2.10, it shows 99.99.99.1 which is the WAN interface IP, shouldn't it be 99.99.99.10, the VIP?
The ONLY WAY I can get it to work is to do 1:1 NAT, then everything come out of 192.168.2.10 will be 99.99.99.10 But I don't want that, I only want map 5060 because I need to map other port from this IP (e.g. 10000 to 20000) to another internal IP.
Any thought why outbound NAT will not work but 1:1 NAT works?
Thank you!
-
Either it doesn't have source port 5060, or your ordering of outbound NAT rules is wrong (first match wins).
-
there is no issue with order because this is a brand new install, other then the 2 default rule in outbound NAT (which is on top and you can not move it), these are the only NAT rule I have. I checked the packet capture, it is coming in from 192.168.2.10 on port 5060 into the firewall.
-
there is no issue with order because this is a brand new install, other then the 2 default rule in outbound NAT (which is on top and you can not move it), these are the only NAT rule I have. I checked the packet capture, it is coming in from 192.168.2.10 on port 5060 into the firewall.
Doesn't matter how new the install is. When you enable manual outbound NAT the outbound NAT ruleset is populated with all of the automatic rules. One of those is ALL traffic from LAN inside address translated to WAN address.
If your UDP/5060 rule is after that, it will never be processed.
Move it to the top. Select the checkbox on your 5060 rule, then click the move selected rules above this rule button
on the top rule. -
Ah, thank you! sorry to CMB, I sware I saw the "thing" grey out and can not move. but I moved it now, I'll go test, probably should work now.
Thanks again for the help!
