Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT, Firewall, IP stack, etc Order of Operation / Order of Interaction

    Scheduled Pinned Locked Moved NAT
    6 Posts 4 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      Rhongomiant
      last edited by

      Greetings,

      Can anyone point me to a guide showing the Order of Operation / Order of Interaction for pfSense or technically FreeBSD with pf? Something like the diagram in the link below for Vyatta. Even the "The pfSense Book" doesn't have this.

      http://onebadpixel.com/blog/2014/01/22/part-5-nat-translation/

      It looks like it does NAT before routing, which is good in my situation, but I want to really know why this works. The reason i think it is NAT before routing is this.

      On a pfSense box I have the following.

      • An interface using 10.2.0.0/24 and a point to multipoint interface.

      • A 1:1 NAT rule translating 10.2.0.0/24 to 10.3.0.0/24 for 10.100.10.0/24.

      • A static route to forward traffic for 10.0.0.0/8 to another router.

      • 10.3.0.0/24 does not exist in the route table as itself or part of a larger block except 10.0.0.0/8.

      • I have traffic coming in on the point to multipoint interface from IPs in 10.10.0.0/24 to IPs in 10.3.0.0/24.

      If routing happened before NAT then it would forward that traffic due to the 10.0.0.0/8 route since 10.3.0.0/24 doesn't live on that pfSense system according to the route table.

      • It does forward traffic from sources other than 10.10.0.0/24 with the destination IP in 10.3.0.0/24.

      However, requests from 10.10.0.0/24 to 10.3.0.0/24 are translated to 10.2.0.0/24 and the traffic reaches a 10.2.0.0 system behind the pfSense system, which tells me it's NATing before routing.

      Thanks,

      Rhongomiant

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Does this answer your question?

        https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order
        More accurately, the following order (still simplified) is found in the ruleset (Check /tmp/rules.debug):

        Outbound NAT rules
            Inbound NAT rules such as Port Forwards (including rdr pass and UPnP)
            NAT rules for the Load Balancing daemon (relayd)
            Rules dynamically received from RADIUS for OpenVPN and IPsec clients
            Internal automatic rules (pass and block for various items like lockout, snort, DHCP, etc.)
            User-defined rules:
                Rules defined on the floating tab
                Rules defined on interface group tabs (Including OpenVPN)
                Rules defined on interface tabs (WAN, LAN, OPTx, etc)
            Automatic VPN rules

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          @Rhongomiant:

          Even the "The pfSense Book" doesn't have this.

          Yes it does, there is a diagram that illustrates exactly that with accompanying description. See the NAT chapter.

          1 Reply Last reply Reply Quote 0
          • R
            Rhongomiant
            last edited by

            Thank you guys, those are useful and I was not have to find them, so your efforts were helpful.

            However, they don't explain the situation I described where it looks like NAT occurs before routing. The situation is LAN to LAN, not LAN to WAN or WAN to LAN and my first post explains it in detail. Therefore, the diagram that shows <tcpdump>-> <nat>-> <firewall rules="">seems to generalized to explain what is happening in the situation I have described.

            I did a search through the wiki and pfSense book with terms used in what you provided and didn't find more.

            I am looking for something a bit more technical like in this diagram for Vyatta.
            http://onebadpixel.com/blog/2014/01/22/part-5-nat-translation/

            Thank you,

            Rhongomiant</firewall></nat></tcpdump>

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              LAN to LAN doesn't go through the firewall at all. Or do you mean LAN to OPT1 or something?

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • C
                cmb
                last edited by

                It works the same for LAN to LAN (assuming that's two diff LANs, say LAN to LAN2) as for LAN to WAN. NAT just generally doesn't happen (no match where it's processing that) going from LAN to LAN.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.