Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT to access a -gatewayless- server

    Scheduled Pinned Locked Moved NAT
    4 Posts 3 Posters 865 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      boujid
      last edited by

      Hello
      i am trying to configure a "reversible" NAT without success
      basically i want to configure the "ip nat outside" cisco command instead of "ip nat inside"

      let say, a pfsense firewall with 2 interfaces, WAN and LAN
      i have a LAN server that is configured deliberately without gateway
      so i am trying to achieve the following scenario :

      (outside users –> WAN net address or WAN VIP address + specific port) --> NAT --> (LAN net address --> LAN server IP + specific port)
      so the LAN server will be reachable even without gateway configure
      i have done this config many times with cisco, but i cannot make it work with pfsense

      the port forwarding doesnt work cause the packet wont be replied without a gateway configure for the LAN server

      i am using outbound NAT, but the choice are limited, i want to enter an alias (group containing IP of the outside users) but there is just nerwork,firewall itself and any.
      for destination, same thing, i want to enter an alias (LAN server) but there is just any and network
      and finally for the translation address, there isn't (LAN network address), i've tried to configure the firewall LAN address with /32, but it doesnt work either.

      such scenario is it possible ?
      what i am missing ?

      i will be using this scenario not only for WAN interface but also OPT ones and OpenVPN ones.

      Thank You

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        You were on the right way, but made something wrong. Maybe you select WAN interface in outbound NAT.

        If you want the rule to take effect for packets going to LAN network you have to select "LAN" at interface dropdown.

        @boujid:

        i am using outbound NAT, but the choice are limited, i want to enter an alias (group containing IP of the outside users) but there is just nerwork,firewall itself and any.

        Select Network from dropdown and enter the alias below.

        @boujid:

        ifor destination, same thing, i want to enter an alias (LAN server) but there is just any and network

        Same thing.

        @boujid:

        and finally for the translation address, there isn't (LAN network address), i've tried to configure the firewall LAN address with /32, but it doesnt work either.

        If you have selected LAN interface just let the selection at "Interface address" here, or select "other subnet" and enter below what ever you want.

        @boujid:

        such scenario is it possible ?

        Yes, it is, but your LAN server will not see who do the access.

        1 Reply Last reply Reply Quote 0
        • awebsterA
          awebster
          last edited by

          This setup works quite easily.

          Setup an outbound NAT rule as follows:
          Interface: LAN
          Protocol: any
          Source: any
          Destination: The subnet (or host) you want to give access to.
          Translation: Interface address

          This will in effect NAT-HIDE all traffic behind the LAN interface's IP, allowing you to reach any host on the LAN segment.
          Of course from the point of view of the logs on the LAN side hosts, it will appear as if all accesses are coming from the LAN IP of the pfSense.

          Don't forget to add appropriate WAN side rules to allow access inbound.

          –A.

          1 Reply Last reply Reply Quote 0
          • B
            boujid
            last edited by

            Thanks a lot for your replies

            apparently i was doing right but applying the NAT in the wrong interface
            i didnt tried yet, but for sure this is my mistake

            Thanks

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.