Ordering of NAT and Firewall Processing

#readwise # Ordering of NAT and Firewall Processing ![rw-book-cover](https://readwise-assets.s3.amazonaws.com/static/images/article0.00998d930354.png) ## Metadata - Author: [[netgate.com]] - Full Title: Ordering of NAT and Firewall Processing - URL: https://docs.netgate.com/pfsense/en/latest/nat/process-order.html ## Summary Understanding the order of NAT and firewall processing is key for configuring network rules. Inbound and outbound traffic go through a specific sequence of rules, starting with Ethernet rules and followed by NAT and firewall rules. For traffic from LAN to WAN, certain rules apply first, while for WAN to LAN, the rules are reversed. Tcpdump helps in monitoring traffic before and after NAT and firewall processing. ## Highlights Understanding the order in which firewalling and NAT occurs is important when configuring NAT and firewall rules. The basic logical order is illustrated by Figure Ordering of NAT and Firewall Processing. The figure also depicts where tcpdump ties in, since its use as a troubleshooting tool is described later in this documentation in [Packet Capturing](https://docs.netgate.com/pfsense/en/latest/nat/process-order.html/../diagnostics/packetcapture/index.html). ![[diagrams-stack-processing-order.png]] ([View Highlight](https://read.readwise.io/read/01jk97cdk1yqbg84aav8w3q9zg)) ^eaxqvt --- In terms of how the ruleset is processed, the order is: - Ethernet rules - Outbound NAT rules - Inbound NAT rules such as Port Forwards (including `rdr pass` and UPnP) - Rules dynamically received from RADIUS for IPsec and OpenVPN clients - Internal automatic rules (pass and block for various items like lockout, snort, DHCP, etc.) - User-defined rules: - Rules defined on the [floating tab](https://docs.netgate.com/pfsense/en/latest/nat/process-order.html/../firewall/floating-rules.html) - Rules defined on interface group tabs (Including IPsec and OpenVPN) - Rules defined on interface tabs (WAN, LAN, OPTx, etc) - Automatic VPN rules ([View Highlight](https://read.readwise.io/read/01jk97czphha0cd1fnv12e8mxz)) --- On the way into an interface, NAT applies before firewall rules, so if the destination is translated on the way in (e.g. port forwards or 1:1 NAT on WAN), then the firewall rules must match the translated destination. In the typical case of a port forward on WAN, this means the rule must match a destination of the target private IP address on LAN. ([View Highlight](https://read.readwise.io/read/01jkqpx1hs8fdtehewxv285a5r)) --- On the way out of an interface, outbound NAT applies before firewall rules, so any floating rules matching outbound on an interface must match the source after it has been translated by outbound NAT or 1:1 NAT. ([View Highlight](https://read.readwise.io/read/01jkqpxaehv5z0ddszj2rb1zvc)) ---