PAT on pfSense firewalls

I have found just about everything there is on doing port forwarding on the pfSense, but I have not found anything on Port Address Translation on pfSense.

Is PAT possible on pfSense?

I know with Cisco firewalls, I have the option of doing NAT or PAT. Sometimes PAT is a must!

I have really liked pfSense for the majority of my deployments, but if it can’t do PAT, I may have found a limitation that is difficult to overcome in some deployment environments.

What is the use case that you can’t achieve just using outbound NAT? https://docs.netgate.com/pfsense/en/latest/nat/static-port.html

The article you linked references outbound and I am looking to use PAT for inbound purposes. For instance, I have a customer with access to only two external IP addresses, but we need to have services open to several devices on the inside of the network for remote users. With the current PIX firewall and using inbound PAT, I am able to have ports redirected to those devices on the inside of the network using a single outside IP address.

Since this firewall is a PIX, I would like to upgrade it and do not want to have to go with another expensive Cisco device.

You can map ports from the external IP (WAN) to different ports internal IP (LAN)
For example
WAN:80 -> LAN:8080
WAN:443 -> LAN:80443
You can also map outbound ports the same way
LAN:80 -> WAN:80
LAN:443 -> WAN:443

Close but not exactly what I need.

This is actually what I am trying to do. I would share from the config file of the client, but I am under an NDA and can’t show any part of the config.

What I am needing is towards the bottom part of the page where it says:

Step 1 Configure PAT for the inside network by entering the following commands:

hostname(config)# nat (inside) 1 0.0.0.0 0.0.0.0 0 0

hostname(config)# global (outside) 1 209.165.201.15

Step 2 Redirect Telnet requests for 209.165.201.5 to 10.1.1.6 by entering the following command:

hostname(config)# static (inside,outside) tcp 209.165.201.5 telnet 10.1.1.6 telnet netmask 255.255.255.255

Step 3 Redirect FTP requests for IP address 209.165.201.5 to 10.1.1.3 by entering the following command:

hostname(config)# static (inside,outside) tcp 209.165.201.5 ftp 10.1.1.3 ftp netmask 255.255.255.255

Step 4 Redirect HTTP requests for the ASA outside interface address to 10.1.1.5 by entering the following command:

hostname(config)# static (inside,outside) tcp interface www 10.1.1.5 www netmask 255.255.255.255

Step 5 Redirect HTTP requests on port 8080 for PAT address 209.165.201.15 to 10.1.1.7 port 80 by entering the following command:

hostname(config)# static (inside,outside) tcp 209.165.201.15 8080 10.1.1.7 www netmask 255.255.255.255

If you will notice the external IP is the same for each, but the port and IP for the inside devices are all different. From what I have been able to determine, pfSense only supports 1:1 NAT. I am hoping I have missed something and that pfSense will allow for a single external IP to map to multiple internal IPs on different ports.

I still don’t see the difference between doing this and what you are asking. You choose the external port & “Destination Address” then the redirected target port / IP address. They don’t have to be the same port internal and external. 8080 coming in and directed to 80 internally.

What Tom is trying to tell you, is under the Firewall drop down when you select NAT is it port forward. The same thing as PAT on a Cisco device. pfSense does PAT by default. If you don’t want to do PAT but just NAT that is the 1:1 option on pfSense. Hopefully this helps.

Hi there.

I am attempting the same thing.
the configuration is as follow.

Destination port range
Other From port 32410
Other To port 32410

Redirect target IP
102.18.1.22
Redirect target port
Other Port 10389

NAT reflection
(have tried it with)
Use system default
Disabled
Pure NAT

I have ensured that the internal port is set but I cannot access the resource from external networks.

Error: I could not see your service on 41.000.000.002 on port ( 32410 )
Reason: Connection timed out

Make sure the 102.18.1.22 has the pfsense as a gateway. If it does not it can not accept ports mapped to it.

Hi Tom,

Indeed the gateway is the mapped correctly.
Connection-specific DNS Suffix . : pfs.mylocal
IPv4 Address. . . . . . . . . . . : 102.18.1.22
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 102.18.1.254 (this is my pfSense gateway)

With no luck.
Maybe I need to reconfigure the whole 102.18.1.22 system. Might be something that I did wrong on the Configuration. I really don’t know.