Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    LAN to WAN port forward, and WAN to LAN NAT?

    NAT
    2
    5
    11934
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      Bruco last edited by

      I'm trying to achieve something that may or may not work, but I figured I would ask some experts.

      Essentially, I want to be use pfsense to do outbound NAT in BOTH directions - traffic originating on an external subnet would be port forwarded to an internal host, but I want it to translate to the IP of pfsense LAN interface.

      Additionally, I'd like to be able to take some LAN traffic bound for a port on the pfsense LAN interface IP and port forward it to an external host - without losing the normal translation that occurs with LAN to WAN traffic.

      I try to give a more detailed explanation if necessary, but hopefully that sums it up.  Is it even possible?  So far I haven't been successful.

      Thanks!

      1 Reply Last reply Reply Quote 0
      • Derelict
        Derelict LAYER 8 Netgate last edited by

        @Bruco:

        I'm trying to achieve something that may or may not work, but I figured I would ask some experts.

        Essentially, I want to be use pfsense to do outbound NAT in BOTH directions - traffic originating on an external subnet would be port forwarded to an internal host, but I want it to translate to the IP of pfsense LAN interface.

        I think you'll have to be more specific. I think you want a port forward on WAN plus an outbound NAT entry on LAN.  That would forward the packets arriving on WAN to an internal host appearing to be sourced from pfSense's LAN interface.

        Additionally, I'd like to be able to take some LAN traffic bound for a port on the pfsense LAN interface IP and port forward it to an external host - without losing the normal translation that occurs with LAN to WAN traffic.

        That would be done with a port forward on the LAN interface and outbound NAT rules on WAN.

        You should probably provide a couple specific examples - one in each direction.

        Chattanooga, Tennessee, USA
        The pfSense Book is free of charge!
        DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • B
          Bruco last edited by

          Sorry for the delay in response, thanks for yours.  I think you are describing what I'm trying to do.  I just haven't had much luck, and maybe I'm configuring in the wrong place.

          Attached is a (terrible) diagram that illustrates what I'm trying, which I believe matches up with your description.  Where should I be doing the config?  Can I do it all via the Port Forward and Outbound tabs under NAT?

          Thanks again.


          1 Reply Last reply Reply Quote 0
          • Derelict
            Derelict LAYER 8 Netgate last edited by

            Why are the ports fixed? That's probably not going to work for you. Are you looking to have connections established in both directions?  That would be two sets of NAT. One for connections one way and one for connections the other way.

            If you are looking only for connections established in one direction, which direction is that?

            ETA - It looks like you want connections in both directions:

            I will assume 192.168.1.1 is LAN and 4.4.4.1 is WAN. Also note that the source address fixing means it will only work for 192.168.1.10 and 4.4.4.10.  if you want any, use any there. Source port MUST remain any in either case. The outbound NAT rules on WAN might not be necessary as it might be matched by the existing rules but if you put them at the top you know exactly what's happening in your special case..  The ones on LAN are almost certainly necessary.

            I think this will do what you want.  End result is 4.4.4.10:80 appears to 192.168.1.10 as 192.168.1.1:80 and 192.168.1.10:8080 appears to 4.4.4.10 as 4.4.4.1:8080.  They should be able to communicate without any routing (same-subnet traffic at both ends).

            Also beware of anything listening on the firewall on TCP/80 or TCP/8080. I am under the impression that port forwards take precedence but people seem to have problems with it.

            Firewall > NAT, Port forward tab:

            Interface: LAN
            Protocol: TCP
            Source: 192.168.1.10/32, port any
            Destination: LAN address (192.168.1.1)
            Destination Port: 80
            Redirect target IP: 4.4.4.10
            Redirect target port: 80

            Interface: WAN
            Protocol: TCP
            Source: 4.4.4.10/32, port any
            Destination: WAN address (4.4.4.1)
            Destination Port: 8080
            Redirect target IP: 192.168.1.10
            Redirect target port: 8080

            Firewall > NAT, Outbound tab:

            Interface: WAN
            Protocol: TCP
            Source: Network, 192.168.1.10/32, port any
            Destination: 4.4.4.10, Port 80
            Translation: Interface Address (4.4.4.1)

            Interface: LAN
            Protocol: TCP
            Source: Network, 4.4.4.10/32, port any
            Destination: 192.168.1.10, port 8080
            Translation: Interface Address (192.168.1.1)

            Chattanooga, Tennessee, USA
            The pfSense Book is free of charge!
            DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • B
              Bruco last edited by

              Thanks very much, I believe I have it working.  Routing is what I was looking to avoid, as you surmised!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post

              Products

              • Platform Overview
              • TNSR
              • pfSense
              • Appliances

              Services

              • Training
              • Professional Services

              Support

              • Subscription Plans
              • Contact Support
              • Product Lifecycle
              • Documentation

              News

              • Media Coverage
              • Press
              • Events

              Resources

              • Blog
              • FAQ
              • Find a Partner
              • Resource Library
              • Security Information

              Company

              • About Us
              • Careers
              • Partners
              • Contact Us
              • Legal
              Our Mission

              We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

              Subscribe to our Newsletter

              Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

              © 2021 Rubicon Communications, LLC | Privacy Policy