Rules need to be reloaded on every boot for Hybrid Outbound NAT to work
-
Hi
I have a setup with a couple of (aliased) hosts transparently being routed to a VPN provider. This is done by enforcing the hosts to use the VPN gateway and NAT'ing all their connections.
This works nicely, even balancing over three different VPN connections (gateways) - however, on each reboot of pfSense, nothing is being redirected before going to Firewall -> NAT -> Outbound and just clicking "Save" (with no changes).I'm using the Hybrid Outbound NAT option and I'm guessing it's a bug in the pfSense boot filter load sequence. This is what happens:
root@plex:~ # traceroute google.com
traceroute to google.com (172.217.21.142), 64 hops max, 40 byte packets
1 pfsense.lan (192.168.1.1) 0.382 ms 0.268 ms 0.286 ms
2 XX.XX.XX.XX (XX.XX.XX.XX) 0.536 ms 0.553 ms 0.556 ms
[...](Filter Reload in pfSense...)
root@plex:~ # traceroute to google.com (172.217.21.142), 64 hops max, 40 byte packets
1 10.8.8.1 (10.8.8.1) 2.046 ms 25.756 ms 1.897 ms
2 vlan109.as02.cph1.dk.m247.com (82.102.20.33) 13.614 ms
[...]The reload log (though maybe not relevant since it always works after RE-loading the filter, just not on boot):
Initializing
Creating aliases
Creating gateway group item...
Generating Limiter rules
Generating NAT rules
Creating 1:1 rules...
Creating advanced outbound rule
Creating advanced outbound rule
Creating advanced outbound rule
Creating outbound NAT rules
Creating automatic outbound rules
Setting up TFTP helper
Generating filter rules
Creating default rules
Pre-caching ...
Creating filter rule ...
Creating filter rules ...
Setting up pass/block rules
Setting up pass/block rules
Creating rule
Pre-caching ...
Creating filter rule ...
Creating filter rules ...
Setting up pass/block rules
Setting up pass/block rules
Creating rule
Pre-caching Default allow LAN to any rule...
Creating filter rule Default allow LAN to any rule ...
Creating filter rules Default allow LAN to any rule ...
Setting up pass/block rules
Setting up pass/block rules Default allow LAN to any rule
Creating rule Default allow LAN to any rule
Pre-caching Default allow LAN IPv6 to any rule...
Creating filter rule Default allow LAN IPv6 to any rule ...
Creating filter rules Default allow LAN IPv6 to any rule ...
Setting up pass/block rules
Setting up pass/block rules Default allow LAN IPv6 to any rule
Creating rule Default allow LAN IPv6 to any rule
Pre-caching Simple Service Discovery Protocol...
Creating filter rule Simple Service Discovery Protocol ...
Creating filter rules Simple Service Discovery Protocol ...
Setting up pass/block rules
Setting up pass/block rules Simple Service Discovery Protocol
Creating rule Simple Service Discovery Protocol
Pre-caching Multicast DNS...
Creating filter rule Multicast DNS ...
Creating filter rules Multicast DNS ...
Setting up pass/block rules
Setting up pass/block rules Multicast DNS
Creating rule Multicast DNS
Creating IPsec rules...
Creating uPNP rules...
Generating ALTQ queues
Loading filter rules
Setting up logging information
Setting up SCRUB information
Processing down interface states
Running plugins
DoneAny suggestions on how to fix this?
-
Screenshot of the NAT page. The "NordVPN" source is an alias for the hosts. -
Screenshot of the firewall rules to enforce gateway. The second rule was a try to block any non-VPN'ed traffic from the hosts, but it seems to go through anyway... -
Hi,
I also have the same issue. And I almost have the same setup like you have.
-
@rosenstand
Hi have you got this sorted out?or does anyone else have a fix for this :)