Rules need to be reloaded on every boot for Hybrid Outbound NAT to work



  • Hi

    I have a setup with a couple of (aliased) hosts transparently being routed to a VPN provider. This is done by enforcing the hosts to use the VPN gateway and NAT'ing all their connections.
    This works nicely, even balancing over three different VPN connections (gateways) - however, on each reboot of pfSense, nothing is being redirected before going to Firewall -> NAT -> Outbound and just clicking "Save" (with no changes).

    I'm using the Hybrid Outbound NAT option and I'm guessing it's a bug in the pfSense boot filter load sequence. This is what happens:

    root@plex:~ # traceroute google.com
    traceroute to google.com (172.217.21.142), 64 hops max, 40 byte packets
    1 pfsense.lan (192.168.1.1) 0.382 ms 0.268 ms 0.286 ms
    2 XX.XX.XX.XX (XX.XX.XX.XX) 0.536 ms 0.553 ms 0.556 ms
    [...]

    (Filter Reload in pfSense...)

    root@plex:~ # traceroute to google.com (172.217.21.142), 64 hops max, 40 byte packets
    1 10.8.8.1 (10.8.8.1) 2.046 ms 25.756 ms 1.897 ms
    2 vlan109.as02.cph1.dk.m247.com (82.102.20.33) 13.614 ms
    [...]

    The reload log (though maybe not relevant since it always works after RE-loading the filter, just not on boot):

    Initializing
    Creating aliases
    Creating gateway group item...
    Generating Limiter rules
    Generating NAT rules
    Creating 1:1 rules...
    Creating advanced outbound rule
    Creating advanced outbound rule
    Creating advanced outbound rule
    Creating outbound NAT rules
    Creating automatic outbound rules
    Setting up TFTP helper
    Generating filter rules
    Creating default rules
    Pre-caching ...
    Creating filter rule ...
    Creating filter rules ...
    Setting up pass/block rules
    Setting up pass/block rules
    Creating rule
    Pre-caching ...
    Creating filter rule ...
    Creating filter rules ...
    Setting up pass/block rules
    Setting up pass/block rules
    Creating rule
    Pre-caching Default allow LAN to any rule...
    Creating filter rule Default allow LAN to any rule ...
    Creating filter rules Default allow LAN to any rule ...
    Setting up pass/block rules
    Setting up pass/block rules Default allow LAN to any rule
    Creating rule Default allow LAN to any rule
    Pre-caching Default allow LAN IPv6 to any rule...
    Creating filter rule Default allow LAN IPv6 to any rule ...
    Creating filter rules Default allow LAN IPv6 to any rule ...
    Setting up pass/block rules
    Setting up pass/block rules Default allow LAN IPv6 to any rule
    Creating rule Default allow LAN IPv6 to any rule
    Pre-caching Simple Service Discovery Protocol...
    Creating filter rule Simple Service Discovery Protocol ...
    Creating filter rules Simple Service Discovery Protocol ...
    Setting up pass/block rules
    Setting up pass/block rules Simple Service Discovery Protocol
    Creating rule Simple Service Discovery Protocol
    Pre-caching Multicast DNS...
    Creating filter rule Multicast DNS ...
    Creating filter rules Multicast DNS ...
    Setting up pass/block rules
    Setting up pass/block rules Multicast DNS
    Creating rule Multicast DNS
    Creating IPsec rules...
    Creating uPNP rules...
    Generating ALTQ queues
    Loading filter rules
    Setting up logging information
    Setting up SCRUB information
    Processing down interface states
    Running plugins
    Done

    Any suggestions on how to fix this?



  • 0_1545659941723_Screenshot from 2018-12-24 14-48-14.png
    Screenshot of the NAT page. The "NordVPN" source is an alias for the hosts.



  • 0_1545660240940_Screenshot from 2018-12-24 15-03-41.png
    Screenshot of the firewall rules to enforce gateway. The second rule was a try to block any non-VPN'ed traffic from the hosts, but it seems to go through anyway...



  • Hi,

    I also have the same issue. And I almost have the same setup like you have.