Feature #1846
closedstrict nat 1-to-1
0%
Description
Hello,
Add a check box in NAT One to One that make it more strict.
Explanation
my system have
Two WAN interfaces (W1,W2), one public IP on for each
Plus some LAN interfaces
I'm natting W2 public IP to an internal machine.
That machine replies (or originate) connection on W1.
Not a fault, normal behavior is some load balacing exists.
It is easy (but annoying) to switch to manual outbound to add a rule for that machine saying : use W2 for outbound !
So consider a 'strict nat 1-to-1' option so that automatic outbound mode do it for me.
Thank you.
Updated by Chris Buechler almost 14 years ago
- Status changed from New to Rejected
rules including policy routing and NAT are separate entities that must be configured as you desire.
Updated by Franck Bourdonnec almost 14 years ago
oh, I see no reason why you call nat-1to-1 when traffic is internet toward natted machine (B) and routing when it is from machine to internet. It is a flow from point A to point B and sometime A dislike seeing B using several public IP. One to One is first imaginated/interpreted in both direction.
Franck
Updated by Chris Buechler almost 14 years ago
it is both directions, where traffic is set to leave the interface where that 1:1 is assigned. Read http://pfsense.org/book for details on how that works and why it works that way. It can't work any other way, NAT doesn't determine where traffic goes, rules do.
Updated by Franck Bourdonnec almost 14 years ago
then we have a problem.....!
If i read well, nat-1-to-1 is in both direction, when an interface is 'wan'.
You also in:BSDCan 2008
From zero to hero with pfSense
May 13, 2008
Default Configuration
Outbound
NAT to WAN IP (or to any OPT-Interface that has a
gateway set)Default outbound NAT config
Translates outbound traffic to IP of WAN used
The problem IS what you use to determine who is WAN and who is LAN
Reading docs, it seems it is the presence of gateway field in the interface definition.
This is not enought because with some configuration an interface is assigned an IP/32 and nothing else and is wan.
See the request you closed yesterday (#1847) and #972.
So the checkbox is not 'strict one to one' but rather 'This is WAN' in interface definitions.
Another reason fix #972,#1847,#1846 in the same missing-features correction ;-)
Please read first lines of this english article
http://blog.magiksys.net/pfsense-firewall-default-gateway-different-subnet
Franck
Updated by Jim Pingle almost 14 years ago
Having a /32 IP on an interface and a gateway on another subnet is not a valid pfSense configuration, and thus not supported. If/when the other bug is solved, it will be at that point, and this may need to be addressed as well -- at that time. It is not a problem/bug in the current code, it is a feature that does not exist. You might add a footnote about this on the other open ticket.