Disable Auto-added VPN rules???



  • Hello,

    I have checked "Disable Auto-added VPN rules" on System / Advanced / Firewall & NAT. I create rules manually on WAN.
    I want to know disabling this option also prevents adding rules to NAT / Outbound rules or it just disables adding rules to Rules / WAN?
    Outbound rules in NAT is automatic.

    Firewall / Rules / WAN

    0_1530886214232_wan_rules.jpg

    Firewall / Rules / IPSec

    0_1530886241752_ipsec_rules.jpg

    Firewall / NAT / Outbound

    0_1530886260868_nat_outbound.jpg%(#000000)[colored text]


  • Netgate Administrator

    You can see the outbound NAT rules that have been added when the mode is set to Automatic there.
    I would only expect to see rules added for mobile client subnets.

    The automatic firewall rules option you disabled is only to allow IPSec traffic into the firewall. Not traffic within the tunnel.

    Steve



  • In this situation, do I need add rules for ipsec to outbound nat (outbound nat is automatic now)?


  • Netgate Administrator

    You would do if traffic sourced from the other side of the VPN needs to access something via the WAN interface locally.

    However your IPSec firewall rules show only traffic for one single local host so that should never happen. Unless you add new tunnels or rules.

    Steve



  • Here, xx.xx.129.13 is remote office wan address and 192.168.81.3, 192.168.81.4, 192.168.81.5 are remote office internal ip address, and 192.168.2.61 is our internal server's ip address. These hosts must see each other via ipsec. Actually I didn't understand clearly if need to add rules to outbound nat or not, however outbound nat is automatic.


  • Netgate

    No. If you needed to NAT on IPsec you would use the NAT in IPsec Phase 2 not Outbound NAT.

    Once the Phase 1 (IKE) tunnel is up you can forget all about the WAN interface.

    In your case, if you wanted to only pass traffic between those hosts you would probably want to make these Phase 2 Networks:

    Local Network Remote network
    Host 192.168.2.61 Host 192.168.81.3
    Host 192.168.2.61 Host 192.168.81.4
    Host 192.168.2.61 Host 192.168.81.5

    You can further enforce inbound connections with proper rules on the IPsec tab.


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy