NAT Configuration doubt!



  • Hi all,
    I am new with pfsense and I am in doubt on how pfsense works with NAT.
    This is my scenario, 2 nodes with HA configured and working.
    But when I try to access the internet over the pfsense it does not work.
    I am following this tutorial https://www.netgate.com/docs/pfsense/highavailability/configuring-high-availability.html on how to configure HA and the part that explain how to set a manual Outbound on NAT is really hard to understand what to do.

    I've edited the rule for LAN and on the translation option I have select my CARP IP and nothing works. Do I have to do anything in special to get the NAT working? Am I missing something?

    When I am editing the WAN rule there is no CARP there to select as the translation address, I've Added another CARP to match the WAN Gateway buy it did not work too.

    How you guys set the NAT on your environment?


  • Netgate

    Get CARP/HA configured
    Change to Manual Outbound NAT
    Change the NAT address on all the rules except the localhost rules to the CARP VIP
    You're done.

    Sounds like you've clicked a lot of things you shouldn't have.

    No, you don't make a VIP for the gateway address.

    Not sure what edited the rule for LAN means.

    You might want to post some screen shots. Probably best to start with outbound NAT.



  • What do you mean by "change the NAT address on all the rules except the localhost rules to the CARP VIP" I got the part to not change the localhost rule.
    Please the see print below. I have selected the LAN rule and on the Address option under translation I have selected the CARP IP. Should I do this for all the rules?

    0_1539227884983_a58cdbae-0efc-4b06-a82f-82f85ff1bc9b-image.png

    0_1539227945077_ec2e9419-4e49-4db6-9b3b-ab22477efe2a-image.png

    That is the part that confuses me if I select a WAN rule on the Address option under translation I should have to select the Gateway to the WAN interface? Shouldn't I? I am very confuse!

    Looking to the next print the only option that I have under Address is 192.168.0.3. Do I have to select this CAR IP even for the wan rule?

    0_1539228394760_aba70a86-be1d-42ce-bcff-0641614a4e8a-image.png


  • Netgate

    Do not use source any outbound NAT rules. That will NAT things that should not have NAT performed on them, such as connections from the firewall itself.

    Automatic NAT will create all the rules you need. Then switch to manual and you can edit them (except the localhost source rules) and set the NAT address to the CARP VIP.

    Like I said:

    Get CARP/HA configured
    Change to Manual Outbound NAT
    Change the NAT address on all the rules except the localhost rules to the CARP VIP
    You're done.

    https://www.youtube.com/watch?v=VnBnnh81G7w

    Is there a specific reason you are setting outbound NAT on LAN?


  • Netgate

    Don't take this the wrong way, but maybe you should get a better grasp on the basic functionality of pfSense before tackling something like an HA pair.

    0_1539231137510_1539227874561-a58cdbae-0efc-4b06-a82f-82f85ff1bc9b-image-resized.png



  • Hey @Derelict thanks for the video explaining how to configurar the HA. The manual that I was looking at is a bit out dated that is why I was having so many doubts.
    Now things are way more clear.