Network Address Translation

Network Address Translation (abbreviated to NAT) is a way to separate external and internal networks (WANs and LANs), and to share an external IP between clients on the interal network. NAT can be used on IPv4 and IPv6. For IPv6, Network Prefix Translation is also available.

Most of the options below use three different addresses: the source, destination and redirect address. These addresses are used for the following:

Source Where the traffic comes from. This can often be left on “any”.
Destination Where the traffic is headed. For incoming traffic from outside, this is usually your external IP address.
Redirect Where the traffic should be redirected.

Warning

  • Network Address Translation should not be relied upon as a security measure.
  • Disabling pf will also disable NAT.

Some terms explained

BINAT: NAT generally works in one direction. However, if you have networks of equal size, you can also use BINAT, which is bidirectional. This can simplify your set-up. If you don’t have networks of equal size, you can only use regular NAT.

NAT reflection: When a client on the internal network tries to access another client, but using the external IP instead of the internal one (which would the most logical), NAT reflection can rewrite this request so that it uses the internal IP, in order to avoid taking a detour and applying rules meant for actual outside traffic.

Pool options: When there are multiple IPs to choose from, this option will allow regulating which IP gets used. The default, Round Robin, will simply distribute packets to one server after the other. If you only have one external IP, this option has no effect.

Port forwarding

When multiple clients share an external IP address, any connection not initiated by one of the clients will not succeed since the firewall will not know where to send the traffic. This can be addressed by creating port forwarding rules. For example, for a web server behind the firewall to be accessible, ports 80 and 443 need to be redirected to it.

Port forwarding is also referred to as “Destination NAT” or “DNAT”.

In OPNsense, port forwarding can be set up by navigating to Firewall ‣ NAT ‣ Port Forward. Here, you will see an overview of port forwarding rules. New rules can be added by clicking Add in the upper right corner.

When adding a rule, the following fields are available:

Disabled Disable this rule without removing it.
No RDR (NOT) Do not create a redirect rule. Leave this disabled unless you know what you are doing.
Interface Which interface this rule should apply to. Most of the time, this will be WAN.
TCP/IP version IPv4, IPv6 or both.
Protocol In typical scenarios, this will be TCP.
Source Where the traffic comes from. Click “Advanced” to see the other source settings.
Source / Invert Invert match in “Source” field.
Source port range When applicable, the source port we should match on. This is usually random and almost never equal to the destination port range (and should usually be ‘any’).
Destination / Invert Invert match in “Destination” field.
Destination Where the traffic is headed.
Destination port range Service port(s) the traffic is using
Redirect target IP Where to redirect the traffic to.
Redirect target port Which port to use (when using tcp and/or udp)
Pool Options See “Some terms explained”. The default is to use Round robin.
Description A description to easily find the rule in the overview.
Set local tag Set a tag that other NAT rules and filters can check for.
Match local tag Check for a tag set by another rule.
No XMLRPC sync Prevent this rule from being synced to a backup host. (Checking this on the backup host has no effect.)
NAT reflection See “Some terms explained”. Leave this on the default unless you have a good reason not to.
Filter rule association Associate this with a regular firewall rule.

One-to-one

One-to-one NAT will, as the name implies, translate two IPs one-to-one, rather than one-to-many as is most common. In this respect, it is similar to what NPT does for IPv6.

In OPNsense, one-to-one NAT can be set up by navigating to Firewall ‣ NAT ‣ One-to-one. Here, you will see an overview of one-to-one rules. New rules can be added by clicking Add in the upper right corner.

When adding a rule, the following fields are available:

Disabled Disable this rule without removing it.
Interface Which interface this rule should apply to. Most of the time, this will be WAN.
Type BINAT (default) or NAT. See “Some terms explained”.
External network Starting address of external network, which should be used to translate addresses to/from.
Source / invert Invert match in “Source” field.
Source The internal network for this mapping, usually some RFC 1918 range
Destination / invert Invert match in “Destination” field.
Destination The destination network packages should match, when used to map external networks, this is usually any
Description A description to easily find the rule in the overview.
NAT reflection See “Some terms explained”. Leave this on the default unless you have a good reason not to.

Outbound

When a client on an internal network makes an outbound request, the gateway will have to change the source IP to the external IP of the gateway, since the outside server will not be able to send an answer back otherwise.

Outbound NAT is also referred to as “Source NAT” or “SNAT”.

If you only have one external IP, then you leave the Outbound NAT options on automatic. However, if you have multiple IP addresses, you might want to change the settings and add some custom rules.

The main settings for outbound are as follows:

Automatic outbound NAT rule generation The default. Follows the behaviour described above, and is good for most scenarios.
Manual outbound NAT rule generation No automatic rules are generated. They can be added manually.
Hybrid outbound NAT rule generation Automatic rules are added, but additional manual rules can be added as well.
Disable outbound NAT rule generation Disables outbound NAT. This is used for transparent bridges, for example.

New rules can be added by clicking Add in the upper right corner.

When adding a rule, the following fields are available:

Disabled Disable this rule without removing it.
Do not NAT Disable NAT for all traffic matching this rule. Leave this disabled unless you know what you are doing.
Interface Which interface this rule should apply to. Most of the time, this will be WAN.
TCP/IP version IPv4 or IPv6
Protocol In typical scenarios, this will be TCP.
Source invert Invert match in “Source” field.
Source The source network to match
Source port When applicable, the source port we should match on. This is usually random and almost never equal to the destination port range (and should usually be ‘any’).
Destination invert Invert match in “Destination” field.
Destination Destination network to match
Destination port Service port the traffic is using
Translation / target What to translate matching packets to.
Log Put packets matching this rule in the logs. Use this sparingly to avoid overflowing the logs.
Translation / port Which port to use on the target
Static-port Prevents pf(4) from modifying the source port on TCP and UDP packets.
Pool options See “Some terms explained”. The default is to use Round robin.
Set local tag Set a tag that other NAT rules and filters can check for.
Match local tag Check for a tag set by another rule.
No XMLRPC sync Prevent this rule from being synced to a backup host. (Checking this on the backup host has no effect.)
Description A description to easily find the rule in the overview.