OPNsense Forum

Archive => 16.7 Legacy Series => Topic started by: lnetojose on August 08, 2016, 12:38:10 pm

Title: TCP port redirect (NAT / PAT) on transparent firewall (Bridging) mode
Post by: lnetojose on August 08, 2016, 12:38:10 pm
Hello all,


First i would like to say a big  thank you for  the community for the support and for the great open product that opnsense is making!


here is the my issue:

i have a solution that I'm deploying for a client, they run public IPs on their internal network (they are a school).

since they run public IPs internally they don't use any kind of NAT/PAT on their current network environment.

my solution requires a port redirection from port 80 to 9980 and from port 443 to 9443 (all TCP ports).

this was easily done if they had NAT in place, however, they dont.

So, i would like to use a firewall (OPNSense) in transparent mode (Bridging) and place it inline of the solution i have to deploy.

this is what i had in mind to address the problem:

Topology:

Network ----------- OPNSENSE firewall (bridging mode) ----------- Device

IP Packet:

DST: Device_IP:80 >---->NAT (port redirect) done on OPNSense >----> DST: Device_IP:9980

DST = Destination IP address and TCP ports

I was able to configure the OPNsense firewall to perform bridging, the device can reach the network and vice versa, I was able to accomplish by following  this guide https://docs.opnsense.org/manual/how-tos/transparent_bridge.html


filtering is also working OK, as im able to play with the firewall rules and block or allow traffic.

The issue:


no mater what i do, the firewall (OPNSense) does not perform NAT, i played with all port redirect options and simply the firewall does not change the port on the IP packet that goes towards the DEVICE on the topology above.


is OPNSense capable of performing NAT on layer 2 Bridging mode?
Title: Re: TCP port redirect (NAT / PAT) on transparent firewall (Bridging) mode
Post by: rackg on August 08, 2016, 02:52:18 pm
Hello  lnetojose

Are you sure you have set the NAT options under Firewall: Settings >> Network Address Translation?
You need to ensure that you have  Reflection for port forwards>>>Enable (Pure NAT)  &  Reflection for 1:1   mapping enabled. Let me know if it works