Automatic Outbound NAT CLeanup
-
Hello All,
Did not see this posted anywhere under th NAT area of the forum so if this was already answered then I apologize.
I am running pfsense 2.2.2 and was just made aware that the automatic outbound NAT rule with the description of "Auto created rule for ISAKMP" was applied during an IPSEC VPN attempt, I have since moved away fro IPSEC VPN's and would like to clean up or remove this rule.
I have disabled all the IPSEC VPN's that have been turned on rebotted and cannot seem to find a way to clean this up.
Any suggestions on how to fix this?
-
Hi
You could go to Firewall NAT Outbound tab and change automatic NAT to Manual then create the rules you want.
Cheers
-
There is nothing to fix. If you don't want the automated VPN rules, then disable them in System -> Advanced -> Firewall and NAT -> Disable Auto-added VPN rules
-
Those have nothing to do with your IPsec. Those are the defaults to avoid breaking non-NAT-T IPsec clients behind the firewall. Best to just ignore them, or switch to manual outbound NAT if you must.
-
Thanks for all the help and suggestions,
doktornotor
Did not know this was an option, "Disable Auto-added VPN rules" good to know.cmb
I do not have any IPSEC clients behind the firewall.Even if I do go to manual outbound NAT which really was not my intention and go back to Automatic Outbound NAT they are still listed.
Just trying to keep things clean and tight do not want to give anyone a option to find a hole in a service I am no longer using.Was hoping there was some kind of clean up command that I did not know about, Will just have to be more aware the next time I rebuild.
Thanks
-
Even if I do go to manual outbound NAT which really was not my intention and go back to Automatic Outbound NAT they are still listed.
When you switch back to Automatic then automatic does what it is supposed to do - it automatically puts these NAT rules in place. That does not create any security hole - they re just helper rules for client app. That is not where the pass/block decision is made.
If, for example, you do not want to allow clients to do anything to port 500 then you can use a firewall rule block that on LAN interfaces.