• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

NAT to access a -gatewayless- server

Scheduled Pinned Locked Moved NAT
4 Posts 3 Posters 873 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B Offline
    boujid
    last edited by Oct 28, 2015, 8:46 PM

    Hello
    i am trying to configure a "reversible" NAT without success
    basically i want to configure the "ip nat outside" cisco command instead of "ip nat inside"

    let say, a pfsense firewall with 2 interfaces, WAN and LAN
    i have a LAN server that is configured deliberately without gateway
    so i am trying to achieve the following scenario :

    (outside users –> WAN net address or WAN VIP address + specific port) --> NAT --> (LAN net address --> LAN server IP + specific port)
    so the LAN server will be reachable even without gateway configure
    i have done this config many times with cisco, but i cannot make it work with pfsense

    the port forwarding doesnt work cause the packet wont be replied without a gateway configure for the LAN server

    i am using outbound NAT, but the choice are limited, i want to enter an alias (group containing IP of the outside users) but there is just nerwork,firewall itself and any.
    for destination, same thing, i want to enter an alias (LAN server) but there is just any and network
    and finally for the translation address, there isn't (LAN network address), i've tried to configure the firewall LAN address with /32, but it doesnt work either.

    such scenario is it possible ?
    what i am missing ?

    i will be using this scenario not only for WAN interface but also OPT ones and OpenVPN ones.

    Thank You

    1 Reply Last reply Reply Quote 0
    • V Offline
      viragomann
      last edited by Oct 28, 2015, 11:35 PM

      You were on the right way, but made something wrong. Maybe you select WAN interface in outbound NAT.

      If you want the rule to take effect for packets going to LAN network you have to select "LAN" at interface dropdown.

      @boujid:

      i am using outbound NAT, but the choice are limited, i want to enter an alias (group containing IP of the outside users) but there is just nerwork,firewall itself and any.

      Select Network from dropdown and enter the alias below.

      @boujid:

      ifor destination, same thing, i want to enter an alias (LAN server) but there is just any and network

      Same thing.

      @boujid:

      and finally for the translation address, there isn't (LAN network address), i've tried to configure the firewall LAN address with /32, but it doesnt work either.

      If you have selected LAN interface just let the selection at "Interface address" here, or select "other subnet" and enter below what ever you want.

      @boujid:

      such scenario is it possible ?

      Yes, it is, but your LAN server will not see who do the access.

      1 Reply Last reply Reply Quote 0
      • A Offline
        awebster
        last edited by Oct 28, 2015, 11:36 PM

        This setup works quite easily.

        Setup an outbound NAT rule as follows:
        Interface: LAN
        Protocol: any
        Source: any
        Destination: The subnet (or host) you want to give access to.
        Translation: Interface address

        This will in effect NAT-HIDE all traffic behind the LAN interface's IP, allowing you to reach any host on the LAN segment.
        Of course from the point of view of the logs on the LAN side hosts, it will appear as if all accesses are coming from the LAN IP of the pfSense.

        Don't forget to add appropriate WAN side rules to allow access inbound.

        –A.

        1 Reply Last reply Reply Quote 0
        • B Offline
          boujid
          last edited by Oct 29, 2015, 6:31 PM

          Thanks a lot for your replies

          apparently i was doing right but applying the NAT in the wrong interface
          i didnt tried yet, but for sure this is my mistake

          Thanks

          1 Reply Last reply Reply Quote 0
          4 out of 4
          • First post
            4/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received