Project

General

Profile

Actions

Correction #12400

closed

NAT 1:1 documentation - multi-wan information

Added by Ricardo Mendes about 3 years ago. Updated almost 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
NAT
Target version:
-
Start date:
Due date:
% Done:

100%

Estimated time:

Description

Dear pfSense team,

I would like to submit a suggestion to the NAT 1:1 page. This suggestion comes from an issue I faced when configuring multi-wan nat 1:1 where the outgoing traffic had to go through the interface and external IP assigned on the interface.

On the first paragraph of the NAT 1:1 page it says:
"All traffic originating from that private IPv4 address going to the Internet will be mapped by 1:1 NAT to the public IPv4 address defined in the entry, overriding the Outbound NAT configuration."

Seems pretty simple and straightforward. When I configure the NAT 1:1 I even select an interface where the given subnet is, and that should be used. "all traffic going to the internet" hence outgoing traffic "will be mapped by 1:1 NAT to the public IPv4 address". Perfect. I even selected the interface where the public IP is. Seems like a no brainer.

Actually isn't. After much reading, I found a remark which is literally the last sentence on the multi-wan nat page:
"If a local device must always use a 1:1 NAT entry on a specific WAN, then traffic from that device must be forced to use that specific WAN gateway with policy routing firewall rules."

This goes (imho) against the previous statement. It has to be forced, and isn't all traffic, as previously stated.

Anyway, to brief things up, I suggest adding this information in the end of the 1:1 NAT article, something with a title like "Multi-WAN NAT 1:1" - "If a local device must always use a 1:1 NAT entry on a specific WAN, then traffic from that device must be forced to use that specific WAN gateway with policy routing firewall rules."
Considering so many articles on the forums about this subject, I believe it would be a nice to have that information there.

Thank you, and a great time ahead!
Ricardo Mendes

Actions #1

Updated by Jim Pingle about 3 years ago

NAT never controls where traffic exits the firewall in any context (1:1, outbound, port forwards). NAT only manipulates addresses on traffic as it flows. Directing traffic is all up to routes and policy routing.

That concept is mentioned several times in the docs but could maybe be strengthened on that page.

Actions #2

Updated by Ricardo Mendes about 3 years ago

Dear Jim thank you for the quick reply.
I do agree on the concept of NAT not controlling outgoing traffic and how the concept is approached in different areas of the documentation. I believe that in this page specifically, specially that first paragraph on the NAT 1:1 suggests it does, so without giving much thought to it one may assume it is indeed a feature of pfSense.
Thank you for your consideration to this suggestion! Best regards, RM

Actions #3

Updated by Marcos M over 2 years ago

May be better to say

All traffic originating from that private IPv4 address leaving the selected interface will be mapped by 1:1 NAT to the public IPv4 address defined in the entry, overriding the Outbound NAT configuration.

Though given that the page allows for both IPv4 and IPv6 configuration, the doc could use further clarification regarding IPv4/6.

Actions #4

Updated by Jim Pingle over 2 years ago

  • Status changed from New to Feedback
  • Assignee set to Jim Pingle
  • % Done changed from 0 to 100

Updated to account for the items above, plus other recent changes to the page, including new screenshots.

https://gitlab.netgate.com/docs/pfSense-docs/-/commit/9fe05a72f9649ae0c2719c84b89b758f801ebb58

https://docs.netgate.com/pfsense/en/latest/nat/1-1.html

Actions #5

Updated by Jim Pingle almost 2 years ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF