• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

NAT Outbound not working

NAT
4
14
839
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    johnpoz LAYER 8 Global Moderator @hsv
    last edited by Jan 5, 2023, 1:05 AM

    @hsv well if wan is your only out interface and its default, then the hybrid would be used. You sure the vip works, sniff on your wan as traffic leaves from this IP address, your saying its not using the vip - or is it using the vip and just can not get anywhere.

    An intelligent man is sometimes forced to be drunk to spend time with his fools
    If you get confused: Listen to the Music Play
    Please don't Chat/PM me for help, unless mod related
    SG-4860 24.11 | Lab VMs 2.7.2, 24.11

    H 1 Reply Last reply Jan 7, 2023, 12:45 AM Reply Quote 0
    • C
      chpalmer
      last edited by Jan 5, 2023, 1:17 AM

      It still goes out over default gateway and not the virtual IP I have selected.

      Firewall / NAT / Outbound / Edit

      Down to "Translation"..

      "Address" choose your virtual address..

      You probably want this too- since it is a mail server..
      Check the box.. "Static Port"

      Triggering snowflakes one by one..
      Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

      1 Reply Last reply Reply Quote 0
      • H
        hsv @johnpoz
        last edited by Jan 7, 2023, 12:45 AM

        @johnpoz
        Hi
        No I have multiple WAN outs, but this is only for E-Mail server.
        But to make the test easier I have change it to my WEB server.
        If i set it up with NAT 1:1 it work as it should, but if I split it in forward and NAT outbound it do not work.
        The reason I need to split it up are because my mail setup needs smart hosts on the way out. So the way in is not the way out.
        The configuration is infact more complicated then that as I also has WAN loadbalance, but start with this problem.

        When I tested with my WEB Server
        NAT forward Interface: WAN-01 Port: 443 to 192.168.11.39 port: 443
        Firewall source any to 192.168.11.39 port 443
        NAT Outbound as described
        Firewall source 192.168.11.39 port: any to any port: any (with loggin)

        I still can get it to work

        Regards
        Henning

        J 1 Reply Last reply Jan 7, 2023, 5:58 AM Reply Quote 0
        • J
          johnpoz LAYER 8 Global Moderator @hsv
          last edited by johnpoz Jan 7, 2023, 5:59 AM Jan 7, 2023, 5:58 AM

          @hsv said in NAT Outbound not working:

          No I have multiple WAN outs, but this is only for E-Mail server.

          Well then you need to make sure the email server goes out the wan you want with the IP address on it via policy routing. And port its going to could be used in the policy route - ie 25, and you want to make sure no existing states exist.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          H 1 Reply Last reply Jan 8, 2023, 12:39 AM Reply Quote 0
          • H
            hsv @johnpoz
            last edited by Jan 8, 2023, 12:39 AM

            @johnpoz
            I can simply not get policy routing to work and cannot find an explanation on how to do it when you have multi public ip numbers on the same interface.

            I cannot see how to define a gateway where my public ip number for mail server can be set so I can route out over that ip number.

            It works out of the boxs with NAT 1:1 but when I have to do it where I spilt it in forward/outbound it do not work.
            It taks default gateway all the time. I have tried to create a WAN loadbalancer where only this VIP with this IP number is selected and choos this group gateway as my gateway and that also do not work.
            I am out of idears. And cannot find anything in the documentation to help me.

            Example on how to make this policy route and gateway will be appreciate.

            Regards
            Henning

            J 1 Reply Last reply Jan 8, 2023, 1:40 AM Reply Quote 0
            • J
              johnpoz LAYER 8 Global Moderator @hsv
              last edited by johnpoz Jan 8, 2023, 1:41 AM Jan 8, 2023, 1:40 AM

              @hsv so you only have 1 wan, but you have vips on it? Well then you don't need a policy route, since it can only go out your 1 wan "interface"

              All that is needed for that to work is hybrid outbound nat.. Is this vip you have inside your normal wan IP network?

              So my public IP is a /20 range - I don't have any actual IPs that would work.. But I can for sure just create a vip inside that network (that is not actually mine) for a test.. My public IP on my wan does not end in .254

              So you see here I created a vip inside my public wan /20, ending in .254.. I then created a outbound hybrid nat using that vip address, and if my test box IP that 192.168.2.12 tries to go to 8.8.8.8 on 25 nat it to that vip on the wan. As you can see from packet capture on the wan - it sends the traffic from that vip.. and not the normal wan IP..

              login-to-view

              You need to make sure you don't have any states that would match up with what your doing - if the state already exists, then the state would be used vs your hybrid nat..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              H 1 Reply Last reply Jan 8, 2023, 10:44 PM Reply Quote 0
              • H
                hsv @johnpoz
                last edited by Jan 8, 2023, 10:44 PM

                @johnpoz
                Thank you.
                With this example it was easy to see what I did wrong.
                It is a bit embarrassing, as I had understood your explanation, but had written the source ip number as 192.168.11.38 and not 39, which is the correct number, in the NAT Outbound rule.
                Sorry.

                Thanks again for your patient help.
                Henning

                J 1 Reply Last reply Jan 8, 2023, 10:57 PM Reply Quote 0
                • J
                  johnpoz LAYER 8 Global Moderator @hsv
                  last edited by Jan 8, 2023, 10:57 PM

                  @hsv happy to help and glad you finally got it sorted.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                  H 1 Reply Last reply Jan 8, 2023, 11:37 PM Reply Quote 0
                  • H
                    hsv @johnpoz
                    last edited by Jan 8, 2023, 11:37 PM

                    @johnpoz
                    One question more.
                    If I switch to "Manual Outbound NAT" but regret it at some point, can I switch back to "Hybrid Outbound NAT" and all will be setup automatically, but I have to make my own manunal NAT rules again?

                    Regards
                    Henning

                    R J 2 Replies Last reply Jan 8, 2023, 11:58 PM Reply Quote 0
                    • R
                      rcoleman-netgate Netgate @hsv
                      last edited by Jan 8, 2023, 11:58 PM

                      @hsv Hybrid allows for the auto-made ones and your manual ones.

                      Ryan
                      Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
                      Requesting firmware for your Netgate device? https://go.netgate.com
                      Switching: Mikrotik, Netgear, Extreme
                      Wireless: Aruba, Ubiquiti

                      1 Reply Last reply Reply Quote 0
                      • J
                        johnpoz LAYER 8 Global Moderator @hsv
                        last edited by johnpoz Jan 9, 2023, 1:03 AM Jan 9, 2023, 1:03 AM

                        @hsv said in NAT Outbound not working:

                        If I switch to "Manual Outbound NAT"

                        I never really understand why anyone would do that - but yeah you can always go back to auto or hybrid mode..

                        It would really have to be a specific case to not just use hybrid.. All the BS guides out there about switching to manual nat for vpn services don't make a lot of sense since hybrid works just fine for natting to your vpn interface, etc.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                        1 Reply Last reply Reply Quote 0
                        13 out of 14
                        • First post
                          13/14
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.