NAT, Firewall, IP stack, etc Order of Operation / Order of Interaction



  • Greetings,

    Can anyone point me to a guide showing the Order of Operation / Order of Interaction for pfSense or technically FreeBSD with pf? Something like the diagram in the link below for Vyatta. Even the "The pfSense Book" doesn't have this.

    http://onebadpixel.com/blog/2014/01/22/part-5-nat-translation/

    It looks like it does NAT before routing, which is good in my situation, but I want to really know why this works. The reason i think it is NAT before routing is this.

    On a pfSense box I have the following.

    • An interface using 10.2.0.0/24 and a point to multipoint interface.

    • A 1:1 NAT rule translating 10.2.0.0/24 to 10.3.0.0/24 for 10.100.10.0/24.

    • A static route to forward traffic for 10.0.0.0/8 to another router.

    • 10.3.0.0/24 does not exist in the route table as itself or part of a larger block except 10.0.0.0/8.

    • I have traffic coming in on the point to multipoint interface from IPs in 10.10.0.0/24 to IPs in 10.3.0.0/24.

    If routing happened before NAT then it would forward that traffic due to the 10.0.0.0/8 route since 10.3.0.0/24 doesn't live on that pfSense system according to the route table.

    • It does forward traffic from sources other than 10.10.0.0/24 with the destination IP in 10.3.0.0/24.

    However, requests from 10.10.0.0/24 to 10.3.0.0/24 are translated to 10.2.0.0/24 and the traffic reaches a 10.2.0.0 system behind the pfSense system, which tells me it's NATing before routing.

    Thanks,

    Rhongomiant


  • LAYER 8 Global Moderator

    Does this answer your question?

    https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order
    More accurately, the following order (still simplified) is found in the ruleset (Check /tmp/rules.debug):

    Outbound NAT rules
        Inbound NAT rules such as Port Forwards (including rdr pass and UPnP)
        NAT rules for the Load Balancing daemon (relayd)
        Rules dynamically received from RADIUS for OpenVPN and IPsec clients
        Internal automatic rules (pass and block for various items like lockout, snort, DHCP, etc.)
        User-defined rules:
            Rules defined on the floating tab
            Rules defined on interface group tabs (Including OpenVPN)
            Rules defined on interface tabs (WAN, LAN, OPTx, etc)
        Automatic VPN rules



  • @Rhongomiant:

    Even the "The pfSense Book" doesn't have this.

    Yes it does, there is a diagram that illustrates exactly that with accompanying description. See the NAT chapter.



  • Thank you guys, those are useful and I was not have to find them, so your efforts were helpful.

    However, they don't explain the situation I described where it looks like NAT occurs before routing. The situation is LAN to LAN, not LAN to WAN or WAN to LAN and my first post explains it in detail. Therefore, the diagram that shows <tcpdump>-> <nat>-> <firewall rules="">seems to generalized to explain what is happening in the situation I have described.

    I did a search through the wiki and pfSense book with terms used in what you provided and didn't find more.

    I am looking for something a bit more technical like in this diagram for Vyatta.
    http://onebadpixel.com/blog/2014/01/22/part-5-nat-translation/

    Thank you,

    Rhongomiant</firewall></nat></tcpdump>


  • LAYER 8 Netgate

    LAN to LAN doesn't go through the firewall at all. Or do you mean LAN to OPT1 or something?



  • It works the same for LAN to LAN (assuming that's two diff LANs, say LAN to LAN2) as for LAN to WAN. NAT just generally doesn't happen (no match where it's processing that) going from LAN to LAN.


Log in to reply