Solved - Why can i access internet from a subnet not defined in outbound NAT ?

bingo600

pfSense 2.5.2

Solved ... See Dooh section below ...
And Johnpoz posts.

I have a "Mockup/Test" setup , where i have a remote "Lan" 10.138.129.x/24 comming in to my pfSense via a "Connect interface" 10.138.95.1/24

I'm using a Cisco 1841 , as the "Remote lan" simulator.
And have just assigned
fa0/1 - 10.138.95.2/24
fa0/0 - 10.138.129.1/24

pfSense routes 10.138.129.0/24 to 10.138.95.2 (Cisco if)
And Cisco has def-gw on pfSense if - 10.138.95.1

Why can i access internet from a "Remote lan" device , without having to add the 10.138.129.0/24 net , to Outbound nat ???

Edit: I'm not doing any NAT/PAT on the CIsco , and wireshark shows it's the 10.138.129.x ip's that hits the pfSense.

Dooh ... "Polishing my glasses" i see that 10.138.129.0 is defined in outbound NAT via Automatic.

Where did that come from ???
I'm 80% sure i did not do that , would not even know how to do it under automatic ....

/Bingo

johnpoz

@bingo600 said in Why can i access internet from a subnet not defined in outbound NAT ?:

without having to add the 10.138.129.0/24 net

It is there

When you create a route to some downstream network, and your outbound nat is auto.. Then this network gets auto added.

Example: If I add a route to some downstream network, it is auto added to outbound nat.

You would still need to make sure that interface that this network comes in on (your transit interface) firewall rules allow it.

edit: Hybrid is still auto, with the ability to add manual outbound nats.

bingo600

@johnpoz

Thanx JP
That was new to me , that the "Downstream route" automatically added outbound nat.

I lost "Two of my 10 remaining hairs" today ...

/Bingo

johnpoz

@bingo600 the magic of pfsense ;)

Users quite often run into problems when doing downstream network because they have followed some stupid vpn guide somewhere and changed their outbound to manual ;)

They also normally setup some asymmetrical mess, and using their lan interface as the transit do not alter the lan interface rules from "lan net" etc..

comming in to my pfSense via a "Connect interface" 10.138.95.1/24

I see you did it correctly via a "transit"

bingo600

@johnpoz said in Solved - Why can i access internet from a subnet not defined in outbound NAT ?:

I see you did it correctly via a "transit"

Yepp - I usually have a "Interconnect IF" on my fwalls , all external traffic enters there.
Well besides WAN , and OVPN.

Makes Security reviews smooth(er).

/Bingo