Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Outbound issue in NAT

    NAT
    2
    2
    92
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nanda
      last edited by

      Hi

      I have problem in establishing outbound traffic from LANs to outside network. The network configuration and problem are described below:

      pfSense firewall has 4x2.5G ports (1 WAN and 3 LAN ports).
      WAN port connected to internet
      CLAN => 10.3.60.0/24 network
      HLAN => 10.3.68.0/24 network (hosting personal server & other services)

      NAT port forward rules
      WAN 443 => HLAN 10.3.68.4:443 (443FWARD)

      NAT outbound rules
      Mode: Automatic outbound automatic rule generation
      Interface: WAN
      Source address: HLAN subnet
      Source port: any
      Destination address and port: any
      NAT address: WAN address

      WAN rules
      Permit any to 10.3.68.4 443 (NAT)
      Permit 10.3.68.4 to any

      HLAN rules
      Permit HLAN subnet to any

      Inbound traffic forwarded to 10.3.68.4, but outbound traffic from 10.3.68.4 is denied. See the below logs.
      [Action] [Interface] [Rule] [Source] [Destination] [Protocol]
      Allowed WAN 443FWARD (1710406287) {public_ip}:30797 10.3.70.3:443 TCP:S
      Blocked WAN (1000003570) 10.3.68.4:443 {public_ip}:30797 TCP:SA
      Blocked WAN (1000003570) 10.3.68.4:443 {public_ip}:30797 TCP:SA
      Blocked WAN (1000003570) 10.3.68.4:443 {public_ip}:30797 TCP:SA
      Blocked WAN (1000003570) 10.3.68.4:443 {public_ip}:30797 TCP:SA
      Blocked WAN (1000003570) 10.3.68.4:443 {public_ip}:30797 TCP:SA
      Blocked WAN (1000003570) 10.3.68.4:443 {public_ip}:30797 TCP:SA

      rule id 1000003570 has following rules.

      block drop in log on ! hn2 inet from 10.3.68.0/24 to any ridentifier 1000003570
block drop in log inet from 10.3.68.5 to any ridentifier 1000003570

      Is there any mistake in the configuration?
      Why 100000xxxx triggered?

      Any assistance is highly appreciated.

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @nanda
        last edited by

        @nanda said in Outbound issue in NAT:

        nbound traffic forwarded to 10.3.68.4, but outbound traffic from 10.3.68.4 is denied. See the below logs.
        [Action] [Interface] [Rule] [Source] [Destination] [Protocol]
        Allowed WAN 443FWARD (1710406287) {public_ip}:30797 10.3.70.3:443 TCP:S
        Blocked WAN (1000003570) 10.3.68.4:443 {public_ip}:30797 TCP:SA
        Blocked WAN (1000003570) 10.3.68.4:443 {public_ip}:30797 TCP:SA
        Blocked WAN (1000003570) 10.3.68.4:443 {public_ip}:30797 TCP:SA
        Blocked WAN (1000003570) 10.3.68.4:443 {public_ip}:30797 TCP:SA
        Blocked WAN (1000003570) 10.3.68.4:443 {public_ip}:30797 TCP:SA
        Blocked WAN (1000003570) 10.3.68.4:443 {public_ip}:30797 TCP:SA

        The blocked packets are not expected to enter on WAN, since the request packet was sent out on hn2 (HLAN presumably).

        I suspect, that there is a misconfiguration in the hypervisor network.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.