[SOLVED] Setup Manual Outbound NAT - Section in pfsense docs unclear to me



  • Hi there,

    I am trying to build a redundant HA setup with my two firewall machines.
    I'm using mostly the guide from the pfsense docs.

    It all worked pretty good so far. Both machines are running and configuration is shared across devices.

    However I struggle to make sense about the chapter 'Setup Manual Outbound NAT'.

    As I understand it it is necessary to "fake" the outbound IP address. For obvious reasons as CARP is unable to work otherwise.

    On the pfsense docs website

    the instructions are:

    • Navigate to Firewall > NAT on the Outbound tab

    • Select Manual outbound NAT

    • Click save

    • Edit the automatically added rule for LAN

      • Select a shared CARP virtual IP address on WAN as the Translation address

      • Change the Description to refer to the rule's use of the CARP VIP if desired

      • Click Save

    • Repeat the rule edit for additional rules

    • Click Apply changes

    It works well until point three. Maybe it is the language barrier (native German here) but I read it as after I click the blue 'Save' Button some rules should appear automatically. And they don't.
    This is all I see.

    Furthermore I got confused by reading a guide from lab-time.it.

    Somewhere near the end it is written

    In the past, you’ve had to use manual entries to get this to work, but my lab works with the defaults on this version of PfSense. Another thing I’ve had to do is to temporarily disable CARP at the CARP status page, and then enable it again. When everything is reacting as it should, and you can reach both VIP’s and the outside world from the LAN network, the time has come to test the failover as that is the original purpose of this setup.

    As you can see I'm a little bit stuck here. Should the rules appear automatically? Should I use manual outbound NAT? Should I stick to automatic?  :-\

    I would be very happy if someone could point me into the right directions. Thanks in advance

    My Setup:

    2.3.4-RELEASE (amd64)
    built on Wed May 03 15:13:29 CDT 2017
    FreeBSD 10.3-RELEASE-p19
    Fresh install. No updates yet.

    All the best

    Ulf


  • LAYER 8 Netgate

    What is there when you set Automatic outbound NAT?

    All of the automatic rules that appear will be made into specific rules when you set manual.

    Id nothing appears in automatic, you probably do not have gateways configured on your WAN interfaces (or you do have gateways configured on all your LAN/inside interfaces) causing the helper to not be able to figure out which are inside and which are outside interfaces.



  • Hi Derelict,

    thanks for taking the time.

    @Derelict:

    What is there when you set Automatic outbound NAT?

    All of the automatic rules that appear will be made into specific rules when you set manual.

    Nothing…

    @Derelict:

    Id nothing appears in automatic, you probably do not have gateways configured on your WAN interfaces (or you do have gateways configured on all your LAN/inside interfaces) causing the helper to not be able to figure out which are inside and which are outside interfaces.

    You were right.

    Although I did setup a gateway in System -> Routing -> Gateways,

    I however did not select the 'IPv4 Upstream gateway' in Interfaces -> WAN.

    After I changed that to my gateway connection automatic Outbound NAT appeared :)

    I managed to proceed as written in the pfsense docs and selected "Manual Outbound NAT rule generation. (AON - Advanced Outbound NAT)".
    I changed the translation address on the "Auto created rule - LAN to WAN" to the Virtual CARP IP address.

    One final question. Do I have to change the "Auto created rule for ISAKMP - LAN to WAN" as well?

    Thanks for your help! I really appreciate it!


  • LAYER 8 Netgate

    All of those should be changed to the CARP VIP.



  • @Derelict:

    All of those should be changed to the CARP VIP.

    Thank you! It is working now.

    Latest upgrade to 2.3.4-RELEASE-p1 worked fine as well.

    Again, thanks for your help!  :D


Log in to reply