NAT/port forwarding

NAT, in its most commonly used form, is a means of connecting multiple computers to the Internet through a single Internet connection. But it can do more than that, and can accommodate networks with multiple IP addresses. There are two forms of NAT: inbound NAT (port forwarding), which controls where incoming traffic is sent, and outbound NAT, which controls outgoing traffic. We will cover both of these categories in this section.

Inbound NAT (port forwarding)

To configure inbound NAT settings, navigate to Firewall | NAT, and click on the Port Forwarding tab. Port forwarding allows you to forward a specific port, range of ports, or protocol to a node on your internal network.

By default, pfSense does not leave any ports open on the WAN interface, which blocks any traffic initiated on the Internet. This provides protection against malicious parties looking to attack your system. If you add a port forward, pfSense will create a corresponding firewall rule, and it will allow any traffic matching the corresponding rule through. Thus, if you allow port forwarding to a node, you will have to rely on that node's security to protect it from attack.

To create a new port forwarding rule, from the Port Forward tab on the NAT page, click on one of the Add buttons to add a new rule. The first option is Disable, which allows you to disable a rule without deleting it. No RDR (NOT) negates the rule, thus disabling redirection. This option is rarely used, but may be useful if you have a transparent proxy running. It could also be used if you want to exclude a subset of ports from a larger range of ports.

The Interface drop-down box allows you to select the interface the rule applies to (in most cases, you want to leave this as WAN, since with inbound NAT, we are concerned with traffic originating on the Internet). The Protocol drop-down box allows you to select which protocol to which the NAT rule applies. Source allows you to match a packet from a specific source address or network, but in most cases, you can leave it set to Any. You can also set a Source port range, but this is also usually set to Any, since the source and destination port are rarely the same.

For Destination, you probably want to leave this set to WAN address, since users on the Internet will be targeting your WAN address, not one of your private network IP addresses. If you have a multi WAN setup, you may want to change the destination to one of your other WAN interfaces. Destination port range is the port, or range of ports, you want to forward to one of your private IP addresses.

In the Redirect target IP edit box, you enter the internal IP address of the node to which you want to map the port or range of ports. The Redirect target port option specifies the port to which you want to map the port specified in the Destination port range. This is usually identical to the port specified in the Destination port range, but you can specify a different port or ports here. This can be useful in some circumstances. For example, you may want to set up a private web server which is accessible from the Internet on your home Internet connection. However, most ISPs block port 80 (the default HTTP port) and port 443 (HTTPS). Using Port Redirection, you can choose a port other than ports 80 and 443 for Destination (for example, 1234) and redirect traffic coming in on that port to your web server (which likely would be accepting traffic on port 80).

In the Description edit box, you can enter a non-parsed description for future reference. The No XMLRPC Sync checkbox, if checked, will result in this rule not being synced to other CARP members (this does not apply to CARP slaves, which can still have their NAT rules overwritten by a CARP master). The NAT Reflection drop-down box allows you to access the service to which port forwarding is enabled using the public IP address of your network. The Use system default option allows you to use whatever NAT reflection option was chosen in System | Advanced under the NAT tab. The Enable (NAT + Proxy) option will set up a proxy daemon which will receive and reflect connections, but it will only work with TCP connections, and only with single port forwards, or with ranges of less than 500 ports. Enable (Pure NAT) just creates automatic NAT redirect rules to accomplish redirection without using an external daemon. Finally, Disable will disable NAT reflection.

The Filter rule association drop-down box allows you to select what type of firewall rule is created corresponding to the NAT rule. Add associated filter rule generates a new firewall rule that is updated whenever the NAT rule is updated. Add unassociated filter rule generates a new firewall rule that is not automatically updated. Pass will pass traffic that matches the NAT rule through the firewall, but does not create a new firewall rule for it. Finally, if the None option is selected, no firewall rule is created and, unless an existing firewall rule allows the traffic from this NAT rule to pass, the traffic will not pass. When you are done making changes, you can click on the Save button at the bottom of the page and then click on the Apply Changes button on the main Port Forwarding page.

1:1 NAT

1:1 NAT allows you to map one public IP to one private IP; all traffic from that private IP to the Internet will then be mapped to the public IP specified in the 1:1 NAT mapping. This will override the Outbound NAT settings. Conversely, all traffic initiated on the Internet which is destined for the specified public IP address will then be translated to the private IP. Then it will be evaluated according to the WAN firewall ruleset, and if the traffic is permitted by the WAN rules, it will be passed to the internal node specified in the mapping.

To create a NAT 1:1 mapping, click on the 1:1 tab on the NAT page and click on the Add button below the table. Many of the options are similar to the options we covered in the Port Forwarding section. Negate allows you to exclude the rule from the NAT, which could be useful if you are redirecting a range of addresses, and need to exclude a subset of the range. No BINAT disables redirection for any traffic matching the rule. This way, you can exclude a subset of addresses from a larger range of translated addresses. The Interface dropdown allows you to specify the interface to which this mapping applies; usually, you can leave it set to WAN. The External subnet ID edit box is where you enter the external subnet's starting IP address for the 1:1 mapping.

In the Internal IP section, you specify the internal subnet for the 1:1 mapping. The subnet size for the internal subnet determines how many IP addresses are mapped. For example, assume we have set External subnet IP to 10.1.1.1 and Internal IP to 192.168.1.100/30 (with Network as the type specified in the Type drop-down box). This will map 10.1.1.1 to 192.168.1.100, 10.1.1.2 to 192.168.1.101, and so on up to and including 10.1.1.3/192.168.1.103. Destination allows us to use the 1:1 mapping only for connection to or from the specified destination; usually, this is set as Any. Both Internal IP and Destination have Not checkboxes allowing us to invert the sense of the match.

You can enter a non-parsed description for future reference in the Description field. The NAT reflection drop-down box allows you to access the mapped nodes on the local network from the public IP address. Unlike Port Forwarding, where there were several options for reflection, there are only two options here: Enable and Disable. Click on the Save button when you are done making changes to the 1:1 entry and click on the Apply Changes button on the main NAT page to reload the rules.

Outbound NAT

Outbound NAT configuration, as the name applies, covers traffic from our internal networks whose destination is an external network. The default NAT configuration in pfSense automatically translates outbound traffic to the WAN IP address. If there are multiple WAN interfaces, traffic leaving any WAN interface is automatically translated to the address of the WAN interface which is being used. Thus, you may find configuring outbound NAT rules unnecessary.

Outbound NAT

The main outbound NAT page, with Automatic outbound NAT rule generation selected. Rules in the Mappings section are automatically generated rules.

If you do need to create or edit outbound NAT rules you can do so by clicking on the Outbound tab on the NAT page. There are four options (represented by radio buttons) in the General Logging Options section, which control how the outbound rules are generated:

  • Automatic outbound NAT rule generation is the default option and is suitable if all you want to do is forward outbound traffic to the WAN, while translating the internal IP address to the external IP address
  • Hybrid Outbound NAT rule generation will still automatically generate outbound NAT rules for each non-WAN interface, but you will also be able to create your own outbound NAT rules
  • Manual Outbound NAT rule generation, if selected, will not automatically create any rules, although any previously created automatic rules will remain
  • Disable Outbound NAT rule generation, if selected, will result in no outbound NAT rules being allowed

If you have Automatic outbound NAT rule generation selected, you should also see a section on the page called Automatic Rules which will contain two rules: a rule for non-static ports to pass outgoing traffic on internal interfaces to the WAN address, and a rule for static ports to send ISAKMP traffic. To create or edit outbound NAT rules, click on one of the Add buttons below the Mappings section.

The first section of the page is Edit Advanced Outbound NAT Entry. The Disabled option just disables the rule, while Do not NAT completely disables NAT processing for traffic matching the rule. The Interface drop-down box allows you to select with Interface (as with almost every rule in which NAT is involved, this is usually set to WAN). Protocol allows you to specify the protocol the outbound rule applies to (usually we can keep it set to any, but you may want to create a more restrictive rule). Source is where you define where the traffic originates. This is almost always a subnet on your local network. For example, if we want to create an outbound rule for the DEVELOPERS network, and its subnet is 172.17.0.0/16, we would choose Network in the Type drop-down box, and enter 172.16.0.0 in the adjacent edit box and set the CIDR in the dropdown box to 16. Finally, Destination allows us to set a destination network for the outbound NAT mapping. Since we typically do not know the destination ahead of time, we usually set this to Any. The Not checkbox, if checked, inverts the sense of the destination match.

The Translation section of the page allows us to translate the IP address from the original internal address to another IP address. The default setting in the Address drop-down box is Interface Address, which just uses the IP address of the interface selected in the Interface drop-down box. We can also select Other Subnet, which will make additional options available. If we choose this option in the drop-down box, we can enter a different subnet in the Other subnet edit box; if we use this option, we need to define virtual IPs first, and use a subnet of virtual IPs.

The Pool options dropdown allows you to select how the subnet pool is used. The following options are available:

  • Round Robin: This goes through the virtual IP addresses in a round-robin fashion; in other words, in a loop. It is the only option that works with host aliases.
  • Random: This option will result in pfSense selecting an address from the virtual IP subnet randomly.
  • Source Hash: This option will take the source IP address, hash it, and use the hash to determine the translation IP address. This guarantees that as long as the source IP address remains the same, the translation IP address will also remain the same.
  • Bitmask: This option applies the subnet mask defined in the Other subnet and keeps the last portion identical. So if we choose a virtual IP pool of 10.1.1.0/24 and the source IP is 192.168.1.12, the translated address will be 10.1.1.12.
  • Round Robin with Sticky Address/Random with Sticky Address: These options invoke either Round Robin or Random addresses, but once an address is selected for a source IP address, it remains the same.

In the Port edit box, you can set the source port for the outbound NAT mapping. The Static port checkbox, if enabled, will prevent pfSense from rewriting the source port on outgoing packets. Rewriting the source port prevents other parties from finding out the original source port and thus thwarts fingerprinting nodes behind the firewall. Rewriting the source ports, however, breaks some applications, and in such cases we can enable static ports for the rule.

The No XMLRPC Sync checkbox in the Misc section, if checked, will prevent the rule from syncing to other CARP members. You can also enter a brief description for future reference. When you are done, click on the Save button at the bottom of the page and the Apply Changes button on the main NAT page.

Network Prefix Translation

Network Prefix Translation (NPT) allows us to map an internal IPv6 prefix to an external IPv6 prefix. Normally, we try to avoid using NAT when we use IPv6, but there are some cases where being able to translate IPv6 prefixes is helpful (for example, in multi WAN setups). It functions similarly to 1:1 NAT for IPv4 addresses, only in this case, we are translating prefixes, not complete addresses.

To create an NPT entry, click on the NPT tab and click on one of the Add buttons on the page. There is only one section on the page: Edit NAT NPT Entry. Checking the Disable checkbox will disable the rule. The Interface drop-down box allows you to select the interface to which the rule applies (once again, it's usually WAN).

The first Address edit box is where you enter the internal ULA IPv6 prefix which will be selected. You also need to select the CIDR for the prefix. In the second Address checkbox, you enter the external, global unicast routable IPv6 prefix (you must specify the CIDR of the prefix here as well). Both the internal and destination (external) prefixes have corresponding Not checkboxes you can use to invert the sense of the match.

The last option is the Description edit box, where you can enter a non-parsed description. Once you have entered all the information, click on the Save button and the Apply Changes button on the NAT page.

An example NAT rule

To illustrate NAT rule creation, we'll create a NAT rule for our example network. We want to set up an FTP server which will be accessible from the Internet. The FTP server will reside on the DMZ interface; its internal IP address will be 172.16.1.100. The procedure for setting up a NAT rule for this server is as follows:

  1. Navigate to Firewall | NAT, and click on one of the Add buttons.
  2. Leave Disabled, No RDR (NOT), Interface, Protocol, and Source unchanged. In Destination, leave Type as WAN address, and in Destination port range, select FTP in the first drop-down box as the From port.
  3. Set the Redirect target IP to 172.16.1.100.
  4. In Redirect target port, select FTP in the drop-down box.
  5. Enter a brief description in the Description field (for example, FTP port forward rule).
  6. Leave the remaining options unchanged. Leaving the Filter rule association set to Add associated filter rule will ensure that a corresponding firewall rule will be created to allow traffic to port 21 of the FTP server. Click on the Save button at the bottom of the page, then click on Apply Changes on the NAT page.

We have now created a port forwarding rule (and an automatically generated firewall rule) for the FTP server.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.140.195.28