Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    LAN to WAN port forward, and WAN to LAN NAT?

    Scheduled Pinned Locked Moved NAT
    5 Posts 2 Posters 15.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      Bruco
      last edited by

      I'm trying to achieve something that may or may not work, but I figured I would ask some experts.

      Essentially, I want to be use pfsense to do outbound NAT in BOTH directions - traffic originating on an external subnet would be port forwarded to an internal host, but I want it to translate to the IP of pfsense LAN interface.

      Additionally, I'd like to be able to take some LAN traffic bound for a port on the pfsense LAN interface IP and port forward it to an external host - without losing the normal translation that occurs with LAN to WAN traffic.

      I try to give a more detailed explanation if necessary, but hopefully that sums it up.  Is it even possible?  So far I haven't been successful.

      Thanks!

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        @Bruco:

        I'm trying to achieve something that may or may not work, but I figured I would ask some experts.

        Essentially, I want to be use pfsense to do outbound NAT in BOTH directions - traffic originating on an external subnet would be port forwarded to an internal host, but I want it to translate to the IP of pfsense LAN interface.

        I think you'll have to be more specific. I think you want a port forward on WAN plus an outbound NAT entry on LAN.  That would forward the packets arriving on WAN to an internal host appearing to be sourced from pfSense's LAN interface.

        Additionally, I'd like to be able to take some LAN traffic bound for a port on the pfsense LAN interface IP and port forward it to an external host - without losing the normal translation that occurs with LAN to WAN traffic.

        That would be done with a port forward on the LAN interface and outbound NAT rules on WAN.

        You should probably provide a couple specific examples - one in each direction.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • B
          Bruco
          last edited by

          Sorry for the delay in response, thanks for yours.  I think you are describing what I'm trying to do.  I just haven't had much luck, and maybe I'm configuring in the wrong place.

          Attached is a (terrible) diagram that illustrates what I'm trying, which I believe matches up with your description.  Where should I be doing the config?  Can I do it all via the Port Forward and Outbound tabs under NAT?

          Thanks again.

          pfsenseNATandportforw.png
          pfsenseNATandportforw.png_thumb

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Why are the ports fixed? That's probably not going to work for you. Are you looking to have connections established in both directions?  That would be two sets of NAT. One for connections one way and one for connections the other way.

            If you are looking only for connections established in one direction, which direction is that?

            ETA - It looks like you want connections in both directions:

            I will assume 192.168.1.1 is LAN and 4.4.4.1 is WAN. Also note that the source address fixing means it will only work for 192.168.1.10 and 4.4.4.10.  if you want any, use any there. Source port MUST remain any in either case. The outbound NAT rules on WAN might not be necessary as it might be matched by the existing rules but if you put them at the top you know exactly what's happening in your special case..  The ones on LAN are almost certainly necessary.

            I think this will do what you want.  End result is 4.4.4.10:80 appears to 192.168.1.10 as 192.168.1.1:80 and 192.168.1.10:8080 appears to 4.4.4.10 as 4.4.4.1:8080.  They should be able to communicate without any routing (same-subnet traffic at both ends).

            Also beware of anything listening on the firewall on TCP/80 or TCP/8080. I am under the impression that port forwards take precedence but people seem to have problems with it.

            Firewall > NAT, Port forward tab:

            Interface: LAN
            Protocol: TCP
            Source: 192.168.1.10/32, port any
            Destination: LAN address (192.168.1.1)
            Destination Port: 80
            Redirect target IP: 4.4.4.10
            Redirect target port: 80

            Interface: WAN
            Protocol: TCP
            Source: 4.4.4.10/32, port any
            Destination: WAN address (4.4.4.1)
            Destination Port: 8080
            Redirect target IP: 192.168.1.10
            Redirect target port: 8080

            Firewall > NAT, Outbound tab:

            Interface: WAN
            Protocol: TCP
            Source: Network, 192.168.1.10/32, port any
            Destination: 4.4.4.10, Port 80
            Translation: Interface Address (4.4.4.1)

            Interface: LAN
            Protocol: TCP
            Source: Network, 4.4.4.10/32, port any
            Destination: 192.168.1.10, port 8080
            Translation: Interface Address (192.168.1.1)

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • B
              Bruco
              last edited by

              Thanks very much, I believe I have it working.  Routing is what I was looking to avoid, as you surmised!

              1 Reply Last reply Reply Quote 0
              • M mt_onsemi referenced this topic on
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.