Switching to AON

frater

I've been using pfsense now for a month or two, but I'm noticing that I need to switch to AON (Advanced Outbound NAT) if I want to do special things like access to a bridged modem.
Because the pfsense is already in production, I can't just switch and experiment with these rules….

I saw an example where a NAT-rule was made for each WAN-interface.
This rule was an any to any from all networks.

If I do a "pfctl -sa | grep ^nat" while its in automatic mode I will get this as output:

pfctl -sa | grep ^nat
nat-anchor "natearly/*" all
nat-anchor "natrules/*" all
nat on dc0_vlan10 inet from <tonatsubnets>port = isakmp to any port = isakmp -> 89.250.179.16 port 500
nat on dc0_vlan10 inet from <tonatsubnets>to any -> 89.250.179.16 port 1024:65535
nat on dc0 inet from <tonatsubnets>port = isakmp to any port = isakmp -> 10.250.250.1 port 500
nat on dc0 inet from <tonatsubnets>to any -> 10.250.250.1 port 1024:65535
nat on pppoe0 inet from <tonatsubnets>port = isakmp to any port = isakmp -> 82.172.129.131 port 500
nat on pppoe0 inet from <tonatsubnets>to any -> 82.172.129.131 port 1024:65535
nat on dc0_vlan13 inet from <tonatsubnets>port = isakmp to any port = isakmp -> 89.250.180.22 port 500
nat on dc0_vlan13 inet from <tonatsubnets>to any -> 89.250.180.22 port 1024:65535
nat on re0_vlan100 inet from 127.0.0.1 to any -> 10.0.0.138 port 1024:65535
nat on dc0 inet from 127.0.0.1 to any -> 10.250.250.1 port 1024:65535</tonatsubnets></tonatsubnets></tonatsubnets></tonatsubnets></tonatsubnets></tonatsubnets></tonatsubnets></tonatsubnets> 

It seems the system creates a table called "tonatsubnets" in which all the LAN-networks are including 127.0.0.0/8

If I switch to AON I'm unable to use this table (tonatsubnets) for my source-network.
I therefore create the table NATNETS which mimics that system generated table <tonatsubnets>```
[2.0.1-RELEASE][root@pfsense.nieuwemeer]/root(11): pfctl -t tonatsubnets -T show
  10.0.0.0/24
  10.0.101.0/24
  10.0.102.0/24
  10.0.103.0/24
  10.0.104.0/24
  10.0.105.0/24
  10.0.106.0/24
  10.0.200.0/24
  10.250.250.16/28
  127.0.0.0/8
  172.19.0.0/23
[2.0.1-RELEASE][root@pfsense]/root(12): pfctl -t NATNETS -T show
  10.0.0.0/24
  10.0.101.0/24
  10.0.102.0/24
  10.0.103.0/24
  10.0.104.0/24
  10.0.105.0/24
  10.0.106.0/24
  10.0.200.0/24
  10.250.250.16/28
  127.0.0.0/8
  172.19.0.0/23
[2.0.1-RELEASE][root@pfsense]/root(13):

Switching to AON the command pfctl -sa | grep ^nat gives me the exact same output ( <tonatsubnets>replaced with <natnets>).
Does this mean I did alright?

: pfctl -sa | grep ^nat
nat-anchor "natearly/" all
nat-anchor "natrules/" all
nat on dc0_vlan10 inet from <natnets>port = isakmp to any port = isakmp -> 89.250.179.16 port 500
nat on dc0_vlan10 inet from <natnets>to any -> 89.250.179.16 port 1024:65535
nat on dc0 inet from <natnets>port = isakmp to any port = isakmp -> 10.250.250.1 port 500
nat on dc0 inet from <natnets>to any -> 10.250.250.1 port 1024:65535
nat on pppoe0 inet from <natnets>port = isakmp to any port = isakmp -> 82.172.129.131 port 500
nat on pppoe0 inet from <natnets>to any -> 82.172.129.131 port 1024:65535
nat on dc0_vlan13 inet from <natnets>port = isakmp to any port = isakmp -> 89.250.180.22 port 500
nat on dc0_vlan13 inet from <natnets>to any -> 89.250.180.22 port 1024:65535
nat on re0_vlan100 inet from 127.0.0.1 to any -> 10.0.0.138 port 1024:65535
nat on dc0 inet from 127.0.0.1 to any -> 10.250.250.1 port 1024:65535</natnets></natnets></natnets></natnets></natnets></natnets></natnets></natnets>

I captured the output of "  pfctl -sa | egrep -v '^(all|queue| )'  " in both situations (automatic/AON) and compared them.
I can't really see any difference, so this is a good sign.

I would like to ask the experts.
Is this the way to enable AON?
![sshot-33.jpg](/public/_imported_attachments_/1/sshot-33.jpg)
![sshot-33.jpg_thumb](/public/_imported_attachments_/1/sshot-33.jpg_thumb)</natnets></tonatsubnets></tonatsubnets>

cmb

That looks fine

frater

@cmb:

That looks fine

Yes, that's what I thought as well.
But I still haven't enabled these rules because my VoIP is acting strange….
I'm also unable to reach my bridged modem on the DHCP-interface with the IP-alias.
The bridged modem with the PPPoE-interface DOES work, but that's because I created an extra interface for it.

To troubleshoot I'm now also downloading the output of this command on a remote server...

cat /usr/local/www/pfctl.php
#zabbix server ip
$zabbix_ip='85.214.224.32';

if ($_SERVER["REMOTE_ADDR"]==$zabbix_ip)
  print base64_encode(shell_exec('pfctl -snat && pfctl -srules && pfctl -sTables && pfctl -vsAnchors | pfctl -sSources | pfctl -sInterfaces && pfctl -t tonatsubnets -T show && pfctl -t NATNETS -T show && netstat -rnf inet | sed "s/  */ /g" | cut -d" " -f1,2,3,6'));

?>

This is what I see when I do a diff on it (one is AON / the other is automatic)

 cat pf.2012-02-01.10:09.txt.diff
4,13c4,11
< nat on dc0_vlan10 inet from <natnets>port = isakmp to any port = isakmp -> 89.250.179.16 port 500
< nat on dc0_vlan10 inet from <natnets>to any -> 89.250.179.16 port 1024:65535
< nat on dc0 inet from <natnets>port = isakmp to any port = isakmp -> 10.250.250.1 port 500
< nat on dc0 inet from <natnets>to any -> 10.250.250.1 port 1024:65535
< nat on pppoe0 inet from <natnets>port = isakmp to any port = isakmp -> 82.172.129.131 port 500
< nat on pppoe0 inet from <natnets>to any -> 82.172.129.131 port 1024:65535
< nat on dc0_vlan13 inet from <natnets>port = isakmp to any port = isakmp -> 89.250.180.22 port 500
< nat on dc0_vlan13 inet from <natnets>to any -> 89.250.180.22 port 1024:65535
< nat on dc0_vlan11 inet from <wolfnet>to 192.168.1.0/24 -> 192.168.1.250 port 1024:65535
< nat on dc0_vlan13 inet from <wolfnet>to 192.168.178.0/24 -> 192.168.178.10 port 1024:65535
---
> nat on dc0_vlan10 inet from <tonatsubnets>port = isakmp to any port = isakmp -> 89.250.179.16 port 500
> nat on dc0_vlan10 inet from <tonatsubnets>to any -> 89.250.179.16 port 1024:65535
> nat on dc0 inet from <tonatsubnets>port = isakmp to any port = isakmp -> 10.250.250.1 port 500
> nat on dc0 inet from <tonatsubnets>to any -> 10.250.250.1 port 1024:65535
> nat on pppoe0 inet from <tonatsubnets>port = isakmp to any port = isakmp -> 82.172.129.131 port 500
> nat on pppoe0 inet from <tonatsubnets>to any -> 82.172.129.131 port 1024:65535
> nat on dc0_vlan13 inet from <tonatsubnets>port = isakmp to any port = isakmp -> 89.250.180.22 port 500
> nat on dc0_vlan13 inet from <tonatsubnets>to any -> 89.250.180.22 port 1024:65535
334d331
< WOLFNET</tonatsubnets></tonatsubnets></tonatsubnets></tonatsubnets></tonatsubnets></tonatsubnets></tonatsubnets></tonatsubnets></wolfnet></wolfnet></natnets></natnets></natnets></natnets></natnets></natnets></natnets></natnets> 

WOLFNET=10.0.0.0/24

NATNETS has been made equal to <tonatsubnets>Do you have any idea what may cause a difference in behaviour?
Should I check some more parameters?</tonatsubnets>

costasppc

We had to switch to AON  for our VoIP to wrk properly (outbound traffic to the same port).

Best regards

Kostas

frater

@costasppc:

We had to switch to AON  for our VoIP to wrk properly (outbound traffic to the same port).

Best regards

Kostas

But here it's the other way around…
Automatic is working fine. AON isn't.

Furthermore can't I see any difference in the rules
We have siproxd running.
Because of the proxy there's no NAPT (Network Address & Port Translation)