NAT, Firewall, IP stack, etc Order of Operation / Order of Interaction

  • Greetings,

    Can anyone point me to a guide showing the Order of Operation / Order of Interaction for pfSense or technically FreeBSD with pf? Something like the diagram in the link below for Vyatta. Even the "The pfSense Book" doesn't have this.

    It looks like it does NAT before routing, which is good in my situation, but I want to really know why this works. The reason i think it is NAT before routing is this.

    On a pfSense box I have the following.

    • An interface using and a point to multipoint interface.

    • A 1:1 NAT rule translating to for

    • A static route to forward traffic for to another router.

    • does not exist in the route table as itself or part of a larger block except

    • I have traffic coming in on the point to multipoint interface from IPs in to IPs in

    If routing happened before NAT then it would forward that traffic due to the route since doesn't live on that pfSense system according to the route table.

    • It does forward traffic from sources other than with the destination IP in

    However, requests from to are translated to and the traffic reaches a system behind the pfSense system, which tells me it's NATing before routing.



  • LAYER 8 Global Moderator

    Does this answer your question?
    More accurately, the following order (still simplified) is found in the ruleset (Check /tmp/rules.debug):

    Outbound NAT rules
        Inbound NAT rules such as Port Forwards (including rdr pass and UPnP)
        NAT rules for the Load Balancing daemon (relayd)
        Rules dynamically received from RADIUS for OpenVPN and IPsec clients
        Internal automatic rules (pass and block for various items like lockout, snort, DHCP, etc.)
        User-defined rules:
            Rules defined on the floating tab
            Rules defined on interface group tabs (Including OpenVPN)
            Rules defined on interface tabs (WAN, LAN, OPTx, etc)
        Automatic VPN rules

  • @Rhongomiant:

    Even the "The pfSense Book" doesn't have this.

    Yes it does, there is a diagram that illustrates exactly that with accompanying description. See the NAT chapter.

  • Thank you guys, those are useful and I was not have to find them, so your efforts were helpful.

    However, they don't explain the situation I described where it looks like NAT occurs before routing. The situation is LAN to LAN, not LAN to WAN or WAN to LAN and my first post explains it in detail. Therefore, the diagram that shows <tcpdump>-> <nat>-> <firewall rules="">seems to generalized to explain what is happening in the situation I have described.

    I did a search through the wiki and pfSense book with terms used in what you provided and didn't find more.

    I am looking for something a bit more technical like in this diagram for Vyatta.

    Thank you,


  • LAYER 8 Netgate

    LAN to LAN doesn't go through the firewall at all. Or do you mean LAN to OPT1 or something?

  • It works the same for LAN to LAN (assuming that's two diff LANs, say LAN to LAN2) as for LAN to WAN. NAT just generally doesn't happen (no match where it's processing that) going from LAN to LAN.

Log in to reply