Does auto-outbound-nat do "pass" automatically?
-
hy,
i have a question of understanding:when adding a port forwarding rule I choose "pass" so no firewall rule is needed for forwarded traffic on the destination lan. got this.
when doing outbound nat automatically, does is also do "pass" implicitly, as i dont need any firewall rule on the WAN interface to get natted traffice passed?
because if yes, what i dont get, is that the vpn-server wizard added a rule vor vpn-network traffic to be allowed out of the wan. why is that needed if nat does auto-pass?
another question: according to the firewall logs i have some traffic tcp:fa from a client which is rejected. I know this are closed connections that have become stateless so the firewall drops this traffic. no problem for that. but the X button in the firwall log tells me that the rule which does that is "….default deny rule ipv4". I dont have that rule in the firewall settings. Is that the "invisible" rule that just drops all traffic for which there is no allow-rule in the firewall tables?
thanks
-
If I'm understanding your questions correctly the answer to both is, yes, invisible rules are in place. As for the VPN, I'm not 100% sure why that's also not an invisible rule or why it was implemented that way.
-
when adding a port forwarding rule I choose "pass" so no firewall rule is needed for forwarded traffic on the destination lan. got this.
Uhm. "Pass" is NOT the toggle here, it's not even an existing option when creating a port-forward, WTH. The toggle is "Filter rule association". And those rules are very visible in the firewall and prefixed with
"NAT" on your interface rules list. -
I think he's talking about the 1:1 section
-
There's no "Pass" there either.
-
thankx.
in the port forward section there is an option "pass", not in the nat section. thats what bothers me, the nat would need a "paas" too, but there isnt, so my question is: is it implicitly "passing" nat-traffic through the interfaces without corresponding explicit rule. -
when doing outbound nat automatically, does is also do "pass" implicitly, as i dont need any firewall rule on the WAN interface to get natted traffice passed?
No such option for outbound NAT, traffic going in the out direction on an interface is allowed by default anyway and you need to use explicit floating rules to block outgoing traffic if such thing is needed. This is one of the key design aspects of pfSense, block incoming traffic by default on a given interface, allow all outgoing.
-
thanks, thats what i mean- as said thats just for understanding, i dont want to annoy anybody. but what i dont get:
nat is traffic comming in on a LAN interface in pfsense and beeing nat-ed to the WAN interface.
So on the WAN interface thats not traffic comin FROM WAN to the outside but traffic originating from LAN and on WAN its incoming, so in my logic it would need a firewall-allow rule for the wan interface, but it doesnt :) thats where i dont quit get it and asume its some kind of "pass" thats integrated in NAT.
or has my picture of the firewall to be changed:
for WAN all Lan interfaces are "incoming" direction?
but for LAN interfaces WAN interface is not "incoming" direction? -
in the port forward section there is an option "pass", not in the nat section.
Where?!?! Could you kindly post screenshots of what you are doing so that we don't waste more time here? ::)
-
Pretty sure he means the "pass" option in the filter rule association selection box.
This is on 2.3.2-RELEASE-p1.
I would just use the associated firewall rule and forget the pass option exists.
-
Uh. Finally!!!
Pass
This choice uses a special pf keyword on the NAT port forward rule that causes traffic to be passed through without the need of a firewall rule. Because no separate firewall exists, any traffic matching this rule is forwarded in to the target system
Note: Rules using Pass will only work on the interface containing your default gateway, so they do not work effectively with Multi-WAN.Source: The pfSense Book.
-
thanks, thats what i mean- as said thats just for understanding, i dont want to annoy anybody. but what i dont get:
nat is traffic comming in on a LAN interface in pfsense and beeing nat-ed to the WAN interface.
So on the WAN interface thats not traffic comin FROM WAN to the outside but traffic originating from LAN and on WAN its incoming, so in my logic it would need a firewall-allow rule for the wan interface, but it doesnt :) thats where i dont quit get it and asume its some kind of "pass" thats integrated in NAT.
or has my picture of the firewall to be changed:
for WAN all Lan interfaces are "incoming" direction?
but for LAN interfaces WAN interface is not "incoming" direction?The filter rules that allow all outgoing traffic on the interfaces are literally "allow all" and for example for the traffic going out via the WAN interface they don't care if the traffic originated on the LAN network or on the firewall itself, the traffic will allowed regardless.
Also the interfaces are independent of each other so for WAN interface any traffic going out via it is really "outgoing". For LAN on the other hand any traffic coming in from the LAN network is "incoming" because the direction is from the perspective of the interface only and not from the perspective of LAN vs. Internet for example.
-
@kpa:
Pretty sure he means the "pass" option in the filter rule association selection box.
This is on 2.3.2-RELEASE-p1.
I would just use the associated firewall rule and forget the pass option exists.
yes, thats what i mean, sorry i thought it was obvious.