Network Address Translation

Network Address Translation (abbreviated to NAT) is a way to separate external and internal networks (WANs and LANs), and to share an external IP between clients on the interal network. NAT can be used on IPv4 and IPv6. For IPv6, Network Prefix Translation is also available.

Most of the options below use three different addresses: the source, destination and redirect address. These addresses are used for the following:

Source

Where the traffic comes from. This can often be left on “any”.

Destination

Where the traffic is headed. For incoming traffic from outside, this is usually your external IP address.

Redirect

Where the traffic should be redirected.

Warning

  • Network Address Translation should not be relied upon as a security measure.

  • Disabling pf will also disable NAT.

Some terms explained

BINAT: NAT generally works in one direction. However, if you have networks of equal size, you can also use BINAT, which is bidirectional. This can simplify your set-up. If you don’t have networks of equal size, you can only use regular NAT.

NAT reflection: When a client on the internal network tries to access another client, but using the external IP instead of the internal one (which would the most logical), NAT reflection can rewrite this request so that it uses the internal IP, in order to avoid taking a detour and applying rules meant for actual outside traffic.

Note

The NAT rules generated with enabling NAT reflection only include networks directly connected to your Firewall. This means if you have a private network separated from your LAN you need to add this with a manual outbound NAT rule.

Pool options: When there are multiple IPs to choose from, this option will allow regulating which IP gets used. The default, Round Robin, will simply distribute packets to one server after the other. If you only have one external IP, this option has no effect.

Port forwarding

When multiple clients share an external IP address, any connection not initiated by one of the clients will not succeed since the firewall will not know where to send the traffic. This can be addressed by creating port forwarding rules. For example, for a web server behind the firewall to be accessible, ports 80 and 443 need to be redirected to it.

Port forwarding is also referred to as “Destination NAT” or “DNAT”.

In OPNsense, port forwarding can be set up by navigating to Firewall ‣ NAT ‣ Port Forward. Here, you will see an overview of port forwarding rules. New rules can be added by clicking Add in the upper right corner.

When adding a rule, the following fields are available:

Disabled

Disable this rule without removing it.

No RDR (NOT)

Do not create a redirect rule. Leave this disabled unless you know what you are doing.

Interface

Which interface this rule should apply to. Most of the time, this will be WAN.

TCP/IP version

IPv4, IPv6 or both.

Protocol

In typical scenarios, this will be TCP.

Source

Where the traffic comes from. Click “Advanced” to see the other source settings.

Source / Invert

Invert match in “Source” field.

Source port range

When applicable, the source port we should match on. This is usually random and almost never equal to the destination port range (and should usually be ‘any’).

Destination / Invert

Invert match in “Destination” field.

Destination

Where the traffic is headed.

Destination port range

Service port(s) the traffic is using

Redirect target IP

Where to redirect the traffic to.

Redirect target port

Which port to use (when using tcp and/or udp)

Pool Options

See “Some terms explained”. The default is to use Round robin.

Description

A description to easily find the rule in the overview.

Set local tag

Set a tag that other NAT rules and filters can check for.

Match local tag

Check for a tag set by another rule.

No XMLRPC sync

Prevent this rule from being synced to a backup host. (Checking this on the backup host has no effect.)

NAT reflection

See “Some terms explained”. Leave this on the default unless you have a good reason not to.

Filter rule association

Associate this with a regular firewall rule.

One-to-one

One-to-one NAT will, as the name implies, translate two IPs one-to-one, rather than one-to-many as is most common. In this respect, it is similar to what NPT does for IPv6.

In OPNsense, one-to-one NAT can be set up by navigating to Firewall ‣ NAT ‣ One-to-one. Here, you will see an overview of one-to-one rules. New rules can be added by clicking Add in the upper right corner.

When adding a rule, the following fields are available:

Disabled

Disable this rule without removing it.

Interface

Which interface this rule should apply to. Most of the time, this will be WAN.

Type

BINAT (default) or NAT. See “Some terms explained”.

External network

Starting address of external network, which should be used to translate addresses to/from.

Source / invert

Invert match in “Source” field.

Source

The internal network for this mapping, usually some RFC 1918 range

Destination / invert

Invert match in “Destination” field.

Destination

The destination network packages should match, when used to map external networks, this is usually any

Description

A description to easily find the rule in the overview.

NAT reflection

See “Some terms explained”. Leave this on the default unless you have a good reason not to.

Outbound

When a client on an internal network makes an outbound request, the gateway will have to change the source IP to the external IP of the gateway, since the outside server will not be able to send an answer back otherwise.

Outbound NAT is also referred to as “Source NAT” or “SNAT”.

If you only have one external IP, then you leave the Outbound NAT options on automatic. However, if you have multiple IP addresses, you might want to change the settings and add some custom rules.

The main settings for outbound are as follows:

Automatic outbound NAT rule generation

The default. Follows the behaviour described above, and is good for most scenarios.

Manual outbound NAT rule generation

No automatic rules are generated. They can be added manually.

Hybrid outbound NAT rule generation

Automatic rules are added, but additional manual rules can be added as well.

Disable outbound NAT rule generation

Disables outbound NAT. This is used for transparent bridges, for example.

New rules can be added by clicking Add in the upper right corner.

When adding a rule, the following fields are available:

Disabled

Disable this rule without removing it.

Do not NAT

Disable NAT for all traffic matching this rule. Leave this disabled unless you know what you are doing.

Interface

Which interface this rule should apply to. Most of the time, this will be WAN.

TCP/IP version

IPv4 or IPv6

Protocol

In typical scenarios, this will be TCP.

Source invert

Invert match in “Source” field.

Source

The source network to match

Source port

When applicable, the source port we should match on. This is usually random and almost never equal to the destination port range (and should usually be ‘any’).

Destination invert

Invert match in “Destination” field.

Destination

Destination network to match

Destination port

Service port the traffic is using

Translation / target

What to translate matching packets to.

Log

Put packets matching this rule in the logs. Use this sparingly to avoid overflowing the logs.

Translation / port

Which port to use on the target

Static-port

Prevents pf(4) from modifying the source port on TCP and UDP packets.

Pool options

See “Some terms explained”. The default is to use Round robin.

Set local tag

Set a tag that other NAT rules and filters can check for.

Match local tag

Check for a tag set by another rule.

No XMLRPC sync

Prevent this rule from being synced to a backup host. (Checking this on the backup host has no effect.)

Description

A description to easily find the rule in the overview.

API access

Partial API access, for outbound NAT, is provided with the os-firewall plugin, which is described in more detail in the firewall api reference manual.