Outbound NAT and Proxy

jmcvay

I have been struggling with Outbound NAT for several months and finally found my solution.

We have a Single WAN (Multiple Public IP) and 3 LAN Networks. (LAN, DMZ, and WIFI for Guests)

I wanted traffic originating on a particular interface to utilize its own Public IP address. I enabled Manual Outbound NAT and created a rule for each interface. Sites such as whatismyip and speedtest continued to show the WAN IP Address. I fiddled with the Outbound NAT Rules, Rebooted the Router, and even had the ISP reboot their Router. No luck.

A message on whatismyip regarding "proxy detected" caught my attention. I disabled the Proxy Server for the DMZ/WIFI interface and voila! It is showing the assigned Virtual IP Address.

This is a huge hurdle cleared for us as it opens up several possibilities for how we have our Network Setup.

I've seen several threads on the forums regarding Outbound NAT and nothing mentioning to check the Proxy Server, so I hope this helps someone.

Now for a question! Is it possible to have Proxy Server and Outbound NAT play nice together? We like having the ability to monitor/log traffic. While the trade off is worth it in our situation, I would like to look at being able to monitor/log traffic on those interfaces in the future.

marcelloc

If you use squid on the same pfsense box that you have public ips, you can use tcp outgoing option with acls at squid custom options.

jmcvay

Thanks marcelloc! I will give that a try sometime. Right now I'm going to leave well enough alone for awhile.  ;)

pfnewbe

Is there a possibility to configure outbound NAT on a dynamic (WAN) interface?

marcelloc

It works,just  choose 'interface address' as outgoing address.

pfnewbe

@marcelloc:

It works,just  choose 'interface address' as outgoing address.

I was thinking that also… But I've Multi WAN config. 1 with static addresses (/29 subnet) en one dynamic.
I can only choose 'Interface address' not which interface... (WANA or WANB)

marcelloc

Of course you do. Set outbound nat for each interface and then create rules with gateways to specify package destination.

pfnewbe

??? Let me guess…. I've created the wrong outbound NAT rules...
I need to put the interface where it's going to, and not from where it comes from?

marcelloc

The outbound nat is the last rule applied to the package.

First you define rules and if you need to Route the packet to a different route, you define it in advanced rules options. When packet is leaving pfsense by interface x ou y, then outbound nat is applied if defined.