LAN to WAN port forward, and WAN to LAN NAT?



  • I'm trying to achieve something that may or may not work, but I figured I would ask some experts.

    Essentially, I want to be use pfsense to do outbound NAT in BOTH directions - traffic originating on an external subnet would be port forwarded to an internal host, but I want it to translate to the IP of pfsense LAN interface.

    Additionally, I'd like to be able to take some LAN traffic bound for a port on the pfsense LAN interface IP and port forward it to an external host - without losing the normal translation that occurs with LAN to WAN traffic.

    I try to give a more detailed explanation if necessary, but hopefully that sums it up.  Is it even possible?  So far I haven't been successful.

    Thanks!


  • LAYER 8 Netgate

    @Bruco:

    I'm trying to achieve something that may or may not work, but I figured I would ask some experts.

    Essentially, I want to be use pfsense to do outbound NAT in BOTH directions - traffic originating on an external subnet would be port forwarded to an internal host, but I want it to translate to the IP of pfsense LAN interface.

    I think you'll have to be more specific. I think you want a port forward on WAN plus an outbound NAT entry on LAN.  That would forward the packets arriving on WAN to an internal host appearing to be sourced from pfSense's LAN interface.

    Additionally, I'd like to be able to take some LAN traffic bound for a port on the pfsense LAN interface IP and port forward it to an external host - without losing the normal translation that occurs with LAN to WAN traffic.

    That would be done with a port forward on the LAN interface and outbound NAT rules on WAN.

    You should probably provide a couple specific examples - one in each direction.



  • Sorry for the delay in response, thanks for yours.  I think you are describing what I'm trying to do.  I just haven't had much luck, and maybe I'm configuring in the wrong place.

    Attached is a (terrible) diagram that illustrates what I'm trying, which I believe matches up with your description.  Where should I be doing the config?  Can I do it all via the Port Forward and Outbound tabs under NAT?

    Thanks again.



  • LAYER 8 Netgate

    Why are the ports fixed? That's probably not going to work for you. Are you looking to have connections established in both directions?  That would be two sets of NAT. One for connections one way and one for connections the other way.

    If you are looking only for connections established in one direction, which direction is that?

    ETA - It looks like you want connections in both directions:

    I will assume 192.168.1.1 is LAN and 4.4.4.1 is WAN. Also note that the source address fixing means it will only work for 192.168.1.10 and 4.4.4.10.  if you want any, use any there. Source port MUST remain any in either case. The outbound NAT rules on WAN might not be necessary as it might be matched by the existing rules but if you put them at the top you know exactly what's happening in your special case..  The ones on LAN are almost certainly necessary.

    I think this will do what you want.  End result is 4.4.4.10:80 appears to 192.168.1.10 as 192.168.1.1:80 and 192.168.1.10:8080 appears to 4.4.4.10 as 4.4.4.1:8080.  They should be able to communicate without any routing (same-subnet traffic at both ends).

    Also beware of anything listening on the firewall on TCP/80 or TCP/8080. I am under the impression that port forwards take precedence but people seem to have problems with it.

    Firewall > NAT, Port forward tab:

    Interface: LAN
    Protocol: TCP
    Source: 192.168.1.10/32, port any
    Destination: LAN address (192.168.1.1)
    Destination Port: 80
    Redirect target IP: 4.4.4.10
    Redirect target port: 80

    Interface: WAN
    Protocol: TCP
    Source: 4.4.4.10/32, port any
    Destination: WAN address (4.4.4.1)
    Destination Port: 8080
    Redirect target IP: 192.168.1.10
    Redirect target port: 8080

    Firewall > NAT, Outbound tab:

    Interface: WAN
    Protocol: TCP
    Source: Network, 192.168.1.10/32, port any
    Destination: 4.4.4.10, Port 80
    Translation: Interface Address (4.4.4.1)

    Interface: LAN
    Protocol: TCP
    Source: Network, 4.4.4.10/32, port any
    Destination: 192.168.1.10, port 8080
    Translation: Interface Address (192.168.1.1)



  • Thanks very much, I believe I have it working.  Routing is what I was looking to avoid, as you surmised!


Log in to reply