Disable Auto-added VPN rules???

  • Hello,

    I have checked "Disable Auto-added VPN rules" on System / Advanced / Firewall & NAT. I create rules manually on WAN.
    I want to know disabling this option also prevents adding rules to NAT / Outbound rules or it just disables adding rules to Rules / WAN?
    Outbound rules in NAT is automatic.

    Firewall / Rules / WAN


    Firewall / Rules / IPSec


    Firewall / NAT / Outbound

    0_1530886260868_nat_outbound.jpg%(#000000)[colored text]

  • Netgate Administrator

    You can see the outbound NAT rules that have been added when the mode is set to Automatic there.
    I would only expect to see rules added for mobile client subnets.

    The automatic firewall rules option you disabled is only to allow IPSec traffic into the firewall. Not traffic within the tunnel.


  • In this situation, do I need add rules for ipsec to outbound nat (outbound nat is automatic now)?

  • Netgate Administrator

    You would do if traffic sourced from the other side of the VPN needs to access something via the WAN interface locally.

    However your IPSec firewall rules show only traffic for one single local host so that should never happen. Unless you add new tunnels or rules.


  • Here, xx.xx.129.13 is remote office wan address and,, are remote office internal ip address, and is our internal server's ip address. These hosts must see each other via ipsec. Actually I didn't understand clearly if need to add rules to outbound nat or not, however outbound nat is automatic.

  • LAYER 8 Netgate

    No. If you needed to NAT on IPsec you would use the NAT in IPsec Phase 2 not Outbound NAT.

    Once the Phase 1 (IKE) tunnel is up you can forget all about the WAN interface.

    In your case, if you wanted to only pass traffic between those hosts you would probably want to make these Phase 2 Networks:

    Local Network Remote network
    Host Host
    Host Host
    Host Host

    You can further enforce inbound connections with proper rules on the IPsec tab.

Log in to reply