Auto-created NAT rules



  • Auto-created NAT rules get added to the end of the rules list for the interface (I think).

    Part of the reason for an auto-rule in the first place is to gracefully handle additional rules needed for NAT, and to avoid having to manually enter them. But if a manual rule would impact on an automated NAT rule, can that create a problem? How would one ensure the automated rule will still be acted upon, as it's the last rule in the rule-set? Does that negate the usefulness of auto-rules, especially when traffic on the interface is to be otherwise tightly restricted?


  • Rebel Alliance Global Moderator

    Not sure I understand your question.. But manual rules are evaluated first, and you can change their order and can be very specific with them, etc.. Then the auto rules are done..

    Please post an example of your concern with showing some nat rules… So for example I have a manual nat when going out my vpn connection.. There is no possible way this would ever be evaluated wrong..  Since the nat only applies when going out my vpn interface from my lan..

    All other traffic would be going out my wan interface the auto lists all my local network segments.




  • The kind of situation I'm thinking of is when you want to manually deny a large section of traffic, except for the item covered by NAT. Example:

    IF#1 handles subnet 192.168.0.0/24 and is used for visitors' devices that may be insecure.
    IF#2 handles subnet 192.168.1.0/24 and includes a file server (or printer, or whatever) at 192.168.1.1

    The rules for IF#1 include a section that handles traffic to IF#2, which broadly looks like this: "allow XYZ" followed by "deny all other traffic to IF#2". The firewall also contains a NAT rule mapping 192.168.0.200 to 192.168.1.1, so that any device on IF#1 will 'see' the file server as being on the same subnet as itself and can automatically detect and configure it as a local/LAN/trusted device, which wouldn't be done if it was 'seen' as being on a different subnet.

    However the automatic NAT rule that handles this will be added to the rules after the "allow X/allow Y/deny all else to IF#2" rules, so it will never be seen?


  • Rebel Alliance Global Moderator

    There is no natting between local interfaces… why would you nat between rfc1918 space on your own network?

    You have rfc1918 on your wan of pfsense, and then others on your lan??  Your using it wrong ;)

    If you really want to use pfsense as a downstream router/firewall in your network then turn off nat..  There is no reason to nat rfc1918 space to different rfc1918 space...  The only time there would be when your saying running a site to site vpn to different network and they happen to use the same space as you.. So then you have to nat their address space to some other address space, etc.



  • @johnpoz:

    There is no natting between local interfaces… why would you nat between rfc1918 space on your own network?

    You have rfc1918 on your wan of pfsense, and then others on your lan??  Your using it wrong ;)

    If you really want to use pfsense as a downstream router/firewall in your network then turn off nat..  There is no reason to nat rfc1918 space to different rfc1918 space...  The only time there would be when your saying running a site to site vpn to different network and they happen to use the same space as you.. So then you have to nat their address space to some other address space, etc.

    Logically there's no reason not to. The router only "knows" about 1918 because rules define it, and networks can get set up in some quite unusual ways, especially small private networks. I agree it's not the commonest of tasks but that doesn't invalidate asking how to.  There's no strong reason why one router cannot control multiple LAN subnets within different parts of the rfc1918 private spaces either (for example if there are separate logical sections to the LAN, the setup is too small to merit multiple routers and multiple NICs or rules-based isolation is more economical).

    Example:  the router handles distinct LAN networks on distinct physical NICs, which need to be isolated almost totally, with the exception of some device such as a printer that's accessible (and seen) as a local printer from both. Concrete example: household has a small home network that is used by a family and a home office. For a bity of extra security the "home" RJ45s link to one NIC and use 192.168.x.x and the office RJ45s plug into a different NIC and use 10.x.x.x (segregation more obvious this way), and rules exist to prevent communication between the two through the router… except that there's one network printer and no need to buy another, so it's given a mapped IP that allows it to appear as 192.168.1.2 from the "home" and also as 10.1.1.2 from the office.

    Although using the same part of 1918 space might be more usual, it's a perfectly logical and sound concept. Conceptually it's not really any different from any other external/internal IP mapping, since from each network the other network appears as part of "outside". As soon as the router is controlling multiple LAN segments off different NICs, and there's an exception for some resource which might be usefully accessed from both and is to be mapped to appear "transparently" local to both networks, this kind of situation might arise.


  • Rebel Alliance Global Moderator

    Your doing it wrong is all I can say..

    Your shared printer doesn't show any issues with nat..

    "except that there's one network printer and no need to buy another, so it's given a mapped IP that allows it to appear as 192.168.1.2 from the "home" and also as 10.1.1.2 from the office."

    Why do you need/want to nat between these networks??  Please give one actual logical reason why you would nat between these 2 networks..  I have multiple network segments in a home..  Why would I nat between my segments??  Why in the world would I have to map the printer to 10.1.1.2  When I can just access it via 192.168.1.2 while creating firewall rule..

    Please give an example that actually makes sense where you question comes into play..  There are millions and of networks available in rfc1918 space.. For what possible reason would I nat those in the same location..  And if the same space is being used remotely or even lets call it the same building where you happen to use 192.168.1.0/24 and someone else used 192.68.1.0/24..  Why do we need to talk and how are we talking - there would have to be a transit network between us.

    So you freaking nat their 192.168.1.0/24 to 192.168.2.0/24 or any other space available in 1918…  Or one of you change your network would be the better idea..

    Your question is a non issue because you can not give an example when it would ever come into play that would make sense... Your outbound rules manual come before auto, and manual can be adjusted.. Where exactly is there a problem??  This is outbound nat keep in mind, not inbound.  Your natting your clients behind your interface to your interface when they go out that interface.