NAT to access a -gatewayless- server

boujid · Oct 28, 2015, 8:46 PM

Hello
i am trying to configure a "reversible" NAT without success
basically i want to configure the "ip nat outside" cisco command instead of "ip nat inside"

let say, a pfsense firewall with 2 interfaces, WAN and LAN
i have a LAN server that is configured deliberately without gateway
so i am trying to achieve the following scenario :

(outside users –> WAN net address or WAN VIP address + specific port) --> NAT --> (LAN net address --> LAN server IP + specific port)
so the LAN server will be reachable even without gateway configure
i have done this config many times with cisco, but i cannot make it work with pfsense

the port forwarding doesnt work cause the packet wont be replied without a gateway configure for the LAN server

i am using outbound NAT, but the choice are limited, i want to enter an alias (group containing IP of the outside users) but there is just nerwork,firewall itself and any.
for destination, same thing, i want to enter an alias (LAN server) but there is just any and network
and finally for the translation address, there isn't (LAN network address), i've tried to configure the firewall LAN address with /32, but it doesnt work either.

such scenario is it possible ?
what i am missing ?

i will be using this scenario not only for WAN interface but also OPT ones and OpenVPN ones.

Thank You

viragomann · Oct 28, 2015, 11:35 PM

You were on the right way, but made something wrong. Maybe you select WAN interface in outbound NAT.

If you want the rule to take effect for packets going to LAN network you have to select "LAN" at interface dropdown.

@boujid:

i am using outbound NAT, but the choice are limited, i want to enter an alias (group containing IP of the outside users) but there is just nerwork,firewall itself and any.

Select Network from dropdown and enter the alias below.

@boujid:

ifor destination, same thing, i want to enter an alias (LAN server) but there is just any and network

Same thing.

@boujid:

and finally for the translation address, there isn't (LAN network address), i've tried to configure the firewall LAN address with /32, but it doesnt work either.

If you have selected LAN interface just let the selection at "Interface address" here, or select "other subnet" and enter below what ever you want.

@boujid:

such scenario is it possible ?

Yes, it is, but your LAN server will not see who do the access.

awebster · Oct 28, 2015, 11:36 PM

This setup works quite easily.

Setup an outbound NAT rule as follows:
Interface: LAN
Protocol: any
Source: any
Destination: The subnet (or host) you want to give access to.
Translation: Interface address

This will in effect NAT-HIDE all traffic behind the LAN interface's IP, allowing you to reach any host on the LAN segment.
Of course from the point of view of the logs on the LAN side hosts, it will appear as if all accesses are coming from the LAN IP of the pfSense.

Don't forget to add appropriate WAN side rules to allow access inbound.

boujid · Oct 29, 2015, 6:31 PM

Thanks a lot for your replies

apparently i was doing right but applying the NAT in the wrong interface
i didnt tried yet, but for sure this is my mistake

Thanks