Outbound NAT Simplification

  • Hi All,

    Our environment…
    Functioning HA setup in our office and datacenter.
    Several OpenVPN server instances on each HA pair in both locations.
    OpenVPN tunnel between the locations, Office is set as client.

    We're adding some VLANs and associated subnets to the Office firewalls, and it's really tedious to manually add the Outbound NAT rules for each subnet. To simplify the setup, I disabled all the auto-added rules and created two (one regular, one ISAKMP) that have the source address set to "Any." Unfortunately, this caused the Backup firewall to not have access to the internet to do things like check for OS updates, presumably because the outbound packets from that machine we being sent as the CARP VIP, and so the Master was the one processing the return packets.

    So my next idea was to create additional rules above my enabled rules, and set their source to "This firewall (self)" and set the NAT Address to the Interface address. However, in the case of the OpenVPN client (that creates the tunnel to the datacenter), packets were then being sent as the firewall itself, and not the CARP VIP.

    So now I'm wondering what rules should be in place in order to prevent the source IP from changing on things such as OpenVPN, but allow the firewalls to individually connect to the internet, too?

  • LAYER 8 Netgate

    You probably don't want to outbound NAT for this firewall because you generally do not want to outbound NAT for the WAN interface address themselves. For the same reason, setting a source address for outbound NAT of any is generally bad news.

    You might be able to get away with creating outbound NAT rules with the source address set to an RFC1918 alias (,, That will catch everything on the inside with private addresses while leaving the public interface addresses alone.

  • The default rules include a pair with the source network being Should those be enabled, ignored, etc.?

  • LAYER 8 Netgate

    They need to be enabled and set to use the CARP VIP.

Log in to reply