Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Outbound NAT Simplification

    HA/CARP/VIPs
    2
    4
    613
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • calebhC
      calebh
      last edited by

      Hi All,

      Our environment…
      Functioning HA setup in our office and datacenter.
      Several OpenVPN server instances on each HA pair in both locations.
      OpenVPN tunnel between the locations, Office is set as client.

      Situation...
      We're adding some VLANs and associated subnets to the Office firewalls, and it's really tedious to manually add the Outbound NAT rules for each subnet. To simplify the setup, I disabled all the auto-added rules and created two (one regular, one ISAKMP) that have the source address set to "Any." Unfortunately, this caused the Backup firewall to not have access to the internet to do things like check for OS updates, presumably because the outbound packets from that machine we being sent as the CARP VIP, and so the Master was the one processing the return packets.

      So my next idea was to create additional rules above my enabled rules, and set their source to "This firewall (self)" and set the NAT Address to the Interface address. However, in the case of the OpenVPN client (that creates the tunnel to the datacenter), packets were then being sent as the firewall itself, and not the CARP VIP.

      So now I'm wondering what rules should be in place in order to prevent the source IP from changing on things such as OpenVPN, but allow the firewalls to individually connect to the internet, too?

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        You probably don't want to outbound NAT for this firewall because you generally do not want to outbound NAT for the WAN interface address themselves. For the same reason, setting a source address for outbound NAT of any is generally bad news.

        You might be able to get away with creating outbound NAT rules with the source address set to an RFC1918 alias (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). That will catch everything on the inside with private addresses while leaving the public interface addresses alone.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • calebhC
          calebh
          last edited by

          The default rules include a pair with the source network being 127.0.0.0/8. Should those be enabled, ignored, etc.?

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            They need to be enabled and set to use the CARP VIP.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.