Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Outbound NAT - lose connectivity

    Scheduled Pinned Locked Moved General pfSense Questions
    15 Posts 6 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SteveITS Galactic Empire @michmoor
      last edited by

      @michmoor said in Outbound NAT - lose connectivity:

      so far what works is using the Interface IP on the firewall

      pfSense has to have the address, to receive the reply packets. Just like using NAT on WAN, the Internet replies to the WAN IP and pfSense translates that to the LAN IP.

      Did you try adding your custom IP to the interface as a virtual IP?

      Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
      When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
      Upvote 👍 helpful posts!

      1 Reply Last reply Reply Quote 0
      • V
        viragomann @michmoor
        last edited by

        @michmoor said in Outbound NAT - lose connectivity:

        The documentation states to use an Alias

        As mentioned here three times already, the translation address has to be assigned to the pfSense interface, either its's the primary interface address or a virtual IP.

        You can state an alias though, but this condition has to be matched anyway.
        Any IP assigned to pfSense interfaces can be selected from the drop-down. That's why I'm wondering that you were stating an alias there.

        You can also translate the source to any other address, but doing so, this IP has to be routed to pfSense on the destination device, which might not be the case in your network, I guess.

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate @michmoor
          last edited by Derelict

          @michmoor

          We do this all the time. It works.

          You should post a screen shot of your Outbound NAT configuration. And the VIP configuration.

          If this is just one address you should try it using the address instead of the Alias to eliminate any potential limitations there. With a VIP defined you should be able to select the VIP there and avoid using the alias entirely.

          ETA (jinx)

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          M 1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            You just need to add the IP as an IPAlias VIP on the DMZ and it will work fine.

            As mentioned you can translate outbound to anything you like but without that, in this situation, the replies will fail.

            Steve

            1 Reply Last reply Reply Quote 1
            • Bob.DigB
              Bob.Dig LAYER 8
              last edited by Bob.Dig

              I am with viragomann, I still don't get why a VIP should be uses if the IP is a private one, just use pfSense IP-address on that interface for NATing.
              So probably I missed the usecase here.

              DerelictD 1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate @Bob.Dig
                last edited by

                @bob-dig You certainly can do that.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by

                  Sure you can do that and it will work out of the box. But if you translate to a different IP you can see that on the destination so you could use it to identify traffic, for example.

                  M 2 Replies Last reply Reply Quote 2
                  • M
                    michmoor LAYER 8 Rebel Alliance @stephenw10
                    last edited by

                    @stephenw10 Creating an IP Alias was the ticket. Thanks everyone.

                    Firewall: NetGate,Palo Alto-VM,Juniper SRX
                    Routing: Juniper, Arista, Cisco
                    Switching: Juniper, Arista, Cisco
                    Wireless: Unifi, Aruba IAP
                    JNCIP,CCNP Enterprise

                    1 Reply Last reply Reply Quote 0
                    • M
                      michmoor LAYER 8 Rebel Alliance @stephenw10
                      last edited by

                      @stephenw10 said in Outbound NAT - lose connectivity:

                      Sure you can do that and it will work out of the box. But if you translate to a different IP you can see that on the destination so you could use it to identify traffic, for example.

                      This is pretty much one of two reasons why this was needed here.

                      Firewall: NetGate,Palo Alto-VM,Juniper SRX
                      Routing: Juniper, Arista, Cisco
                      Switching: Juniper, Arista, Cisco
                      Wireless: Unifi, Aruba IAP
                      JNCIP,CCNP Enterprise

                      1 Reply Last reply Reply Quote 1
                      • M
                        michmoor LAYER 8 Rebel Alliance @Derelict
                        last edited by

                        @derelict Thanks for your help. I was using an Alias but NOT the IP Alias which is what was needed here. Thank you for your help here.

                        Firewall: NetGate,Palo Alto-VM,Juniper SRX
                        Routing: Juniper, Arista, Cisco
                        Switching: Juniper, Arista, Cisco
                        Wireless: Unifi, Aruba IAP
                        JNCIP,CCNP Enterprise

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.