NAT 1:1 documentation - multi-wan information
Dear pfSense team,
I would like to submit a suggestion to the NAT 1:1 page. This suggestion comes from an issue I faced when configuring multi-wan nat 1:1 where the outgoing traffic had to go through the interface and external IP assigned on the interface.
On the first paragraph of the NAT 1:1 page it says:
"All traffic originating from that private IPv4 address going to the Internet will be mapped by 1:1 NAT to the public IPv4 address defined in the entry, overriding the Outbound NAT configuration."
Seems pretty simple and straightforward. When I configure the NAT 1:1 I even select an interface where the given subnet is, and that should be used. "all traffic going to the internet" hence outgoing traffic "will be mapped by 1:1 NAT to the public IPv4 address". Perfect. I even selected the interface where the public IP is. Seems like a no brainer.
Actually isn't. After much reading, I found a remark which is literally the last sentence on the multi-wan nat page:
"If a local device must always use a 1:1 NAT entry on a specific WAN, then traffic from that device must be forced to use that specific WAN gateway with policy routing firewall rules."
This goes (imho) against the previous statement. It has to be forced, and isn't all traffic, as previously stated.
Anyway, to brief things up, I suggest adding this information in the end of the 1:1 NAT article, something with a title like "Multi-WAN NAT 1:1" - "If a local device must always use a 1:1 NAT entry on a specific WAN, then traffic from that device must be forced to use that specific WAN gateway with policy routing firewall rules."
Considering so many articles on the forums about this subject, I believe it would be a nice to have that information there.
Thank you, and a great time ahead!
Updated by Jim Pingle 29 days ago
NAT never controls where traffic exits the firewall in any context (1:1, outbound, port forwards). NAT only manipulates addresses on traffic as it flows. Directing traffic is all up to routes and policy routing.
That concept is mentioned several times in the docs but could maybe be strengthened on that page.
Updated by Ricardo Mendes 29 days ago
Dear Jim thank you for the quick reply.
I do agree on the concept of NAT not controlling outgoing traffic and how the concept is approached in different areas of the documentation. I believe that in this page specifically, specially that first paragraph on the NAT 1:1 suggests it does, so without giving much thought to it one may assume it is indeed a feature of pfSense.
Thank you for your consideration to this suggestion! Best regards, RM