Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Concerns about automatic outbound NAT rule generation

    NAT
    2
    9
    16.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      someperson472034
      last edited by

      Hello pfSense forum,
      I am worried about the automatically generated rules for outbound NAT regarding IPSec passthrough and the other two.
      As I don't need any VPN service on the pfSense box, I want to disable the IPsec passthrough.

      So, do I just switch to Manual Outbound NAT rule generation and delete the first rule and there isn't a passthrough anymore?
      The reason for my concern is, that a passthrough bypasses NAT. Is this is correct?
      Isn't this the same as forwarding a port and thus a threat, when running a pfSense device with the default "Automatic outbound NAT rule generation"?

      Also, what do the other two rules do, as they look dangerous and intimidating to my beginner eyes.

      | Interface | Source | Source port | Destination | Destination port | NAT address | NAT port | Static port | Description |
      | WAN | 192.168.56.0/24 | * | * | 500 | WAN address | * | YES | Auto created rule for ISAKMP - LAN to WAN |
      | WAN | 192.168.56.0/24 | * | * | * | WAN address | * | NO | Auto created rule for LAN to WAN |
      | WAN | 127.0.0.0/8 | * | * | * | WAN address | 1024:65535 | NO | Auto created rule for localhost to WAN |

      Or from the /tmp/rules.debug file:

      
# Outbound NAT rules
nat on $WAN  from 192.168.56.0/24 to any port 500 -> 192.168.1.194/32  static-port
nat on $WAN  from 192.168.56.0/24 to any -> 192.168.1.194/32 port 1024:65535  
nat on $WAN  from 127.0.0.0/8 to any -> 192.168.1.194/32 port 1024:65535
      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        "The reason for my concern is, that a passthrough bypasses NAT. Is this is correct?"

        Uhh - NO.. That rule just says do not change the source port if dest port is 500.

        Here
        https://doc.pfsense.org/index.php/Static_Port

        As to the other rules.. They are what do the nat.. 2nd line says hey if your coming from the 192.168.56.0/24 network going out the WAN port, NAT the IP to the Wan address.

        3rd line is the loopback, ie processes on pfsense that might go to the internet out the wan, again change its IP to the wan address.  Kind of clearly says that right ther in the description.

        To be honest, beginner eyes should just leave it on AUTO ;)  You put it to manual your going to break something most likely and then blame it on pfsense ;)

        Common issue people change it to manual, then add another interface/network and can not figure out why they can't get to the internet.. Well you told pfsense you were smart enough to handle creation of nat rules is why ;)

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • S
          someperson472034
          last edited by

          @johnpoz:

          "The reason for my concern is, that a passthrough bypasses NAT. Is this is correct?"

          Uhh - NO.. That rule just says do not change the source port if dest port is 500.

          From the following wikipedia entry I can gather that IKE must be enabled in order to traverse NAT, thus bypassing it: IPsec traversal accross NAT
          On this documentation page, it says that port 500 has to be forwarded, if applied to a double NAT situation.

          Also, the automatic outbound NAT rule generation only says, that the IPsec passthrough rule is included, not enabled.

          My point here is, that I want to know if pfSense is doing NAT traversal on port 500 with the default configuration and I would be glad if you could explain this specific rule in detail.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            Dude are you creating ipsec tunnels from a box inside your network to a ipsec server outside your network?  If so all that rule does is tell pfsense NOT to randomly pick some source port but to keep it at 500..  That is ALL it does.

            If you do not use ipsec from behind pfsense you have no use for that rule - delete it if you want.. is an OUTBOUND rule has nothing to do with inbound anything..  Only thing it says if connection outbound from something from behind pfsense on that network uses a source port of 500, don't change it.. There is NO security issues with it.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 0
            • S
              someperson472034
              last edited by

              As for using IPsec tunnels, no I don't use any.

              So, now to absolutely clarify this:
              As you mentioned, there is no security issue with it. The port 500 rule is nothing like a port forward or NAT-traversal rule, right?
              It basically just checks not to change the port from 500 to anything else, when something uses this port?

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                If anything uses a source port of 500??  Why would anything else use it?  But no it would not be changed..  Pfsense has no clue to what would be using the port - the rule only says hey if source is 500, use 500 not some random port - ie static!

                But what would use it other than an ipsec tunnel?  Its a privileged port, ie below 1024.. Its not a ephemeral port

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                1 Reply Last reply Reply Quote 0
                • S
                  someperson472034
                  last edited by

                  First of all, thanks yet again!

                  Now, one last question.
                  If I were to switch from the automatic outbound rule generation to manual and therefore exposing the three mentioned rules, deleting the port 500 rule and then changing the setting back to AON.

                  Does the AON then properly include new rules or will there be any conflicts with the 2 shown rules and new rules not shown in the webGUI?

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    If you switch back to automatic, then the rules are automatic and those rules don't mean anything that are listed from my understanding.

                    If you don't want the ipsec rule in there which I can not fathom why anyone would care??  Then switch to manual and delete it and stay on manual.

                    The only time outbound nat rules would be be automatically created is if you created new interfaces, say a openvpn server or added a vlan or another lan interface, etc..  Or if you changed the network that was on any of your lan interfaces.

                    If all you have is your one lan interface/network and it does not change then it makes little difference if your on automatic or manual.  Just that if your manual and you change something any outbound rules that might be needed to allow that new network to work would not be auto created is all.

                    You do understand you are making something of nothing - that outbound rule is not a security issue in any way shape or form..  Its not even used unless you create a oubound connection using a source port of 500.  And all that is says if you do - don't randomly changed it to say 1714 but leave it at 500..

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                    1 Reply Last reply Reply Quote 0
                    • S
                      someperson472034
                      last edited by

                      That sums it all up.

                      John, I want to thank you for all your help. You were very patient with any of my questions, no matter how basic they were.
                      I hope you keep on doing this great community work and helping people, new or not new, with pfSense.

                      Without your assistance I wouldn't be able to get all those questions answered.

                      So, yes again. Thank you very much!

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.