Automatic outbound NAT showing old subnets and not picking up new ones

ppcs-sysadmin · Nov 1, 2023, 2:27 PM

Is it safe to delete existing outbound nat's created by automatic for subnets that no longer exist but still show up in the list?
Is there an upper limit to the max number or nat's it can create? New subnets are not getting added by default, is there a command tore-run automatic NAT?

johnpoz · Nov 1, 2023, 3:42 PM

@ppcs-sysadmin huh? If I create a new network, auto adds it. But if I delete it, it should be removing it as well

So for example.. What I show before, then created a 192.168.5.0/24 network gave pfsense an IP.. It gets added to the outbound nat. I then delete said interface and its removed from the outbound nat.

login-to-view

Are you saying in auto mode, you have outbound nats listed for networks you have no interface on pfsense set to?

Are these networks via downstream gateway and route?

ppcs-sysadmin · Nov 3, 2023, 5:58 PM

What I am seeing is lots of disabled static routes and while my new subnet is in the auto section, it appears not to work. The only difference is instead of a 192.168.x.x address, it is a 10.118.x.x address if that makes it function differently.

johnpoz · Nov 3, 2023, 6:12 PM

@ppcs-sysadmin said in Automatic outbound NAT showing old subnets and not picking up new ones:

lots of disabled static routes

If its just disabled? Then I would think it could still be listed. But when you remove it then it should go away.. If your no longer using the routes why not just delete them?

Doesn't matter what the network is, could be public IP space even.. With auto it should be added to nat to the wan interface, etc.

ppcs-sysadmin · Nov 3, 2023, 6:25 PM

@johnpoz login-to-view
When in Auto only mode I assume all the grey'ed out lines are disabled. The auto box does show the interface's information but traffic never reaches the WAN

johnpoz · Nov 3, 2023, 8:03 PM

@ppcs-sysadmin that doesn't look like your in auto mode.. You hit save after changing to auto?

When you do like disable outbound nat or something it would throw your auto into mapps and they would be like gray like that

login-to-view

If I then turn auto back on

login-to-view

See how it says automatic rules - you need to make sure you hit save and apply, etc..

You can then delete those old mappings by clicking the trash can icon

login-to-view

ppcs-sysadmin · Nov 4, 2023, 2:19 AM

I deleted the old statics then rebooted the firewall. The auto shows all my subnets going to the WAN but it did not fix the issue.
All 192.168.* subnets nat out to the WAN. My one single 10.* subnet does not.
Still feels this as something to do with using a 10.x.x.x network. I'll try to substitute a 192.168 as a test if I can't find other items to try tonight

johnpoz · Nov 4, 2023, 2:28 AM

@ppcs-sysadmin Do you have some rule that forces 10 out some other gateway? You can use a 10.network dude..

You see your network in the auto nat, then it would be natted - what are the rules you have on this interface you created?

Why do you have what address your going to nat to blocked out.. So your running vips? On your wan? So your saying the traffic is leaving your wan with the source 10.x address? Sniff on your wan - show your state table, etc..

Here - I added a 10.x network..

login-to-view

Working just fine - see my state where it natted my 10.1.2.100 address to my wan IP..

Here is answers coming back

login-to-view

ppcs-sysadmin · Nov 4, 2023, 12:57 PM

Rookie mistake. Testing using a cell phone and missed the DNS issues on the new subnet ;(
Thanks for being so responsive.