NAT Outbound Separators (pls)



  • NAT Portforward rule configurations allow users to specify separators to make it easy to sort the different rules you have, as well as make readability easy. However NAT Outbound rules does not have such functionality. At the moment I have around 90 outbound NAT rules, and management and readability is atrocious due to the lack of separators.

    Is it possible to include this within the webui? It doesn't seem like it should be too hard of a feature to add, but it would be extremely helpful.



  • Yes, I think it would be nice to have this feature both in Outbound NAT rules and DHCP Static mappings in the next update.


  • Rebel Alliance Developer Netgate

    Why so many outbound NAT rules? Sounds like something that could be cleaned up and made easier to read with aliases or better construction of the rules.


  • LAYER 8 Global Moderator

    Could you post up these 90 rules.. That seems a bit over the top.. Automatic rules group together all the subnets that are natted to a specific interface, etc.

    Having a hard time coming up with a setup that would require so many, that couldn't be consolidated per jimp's comment, etc.

    While I would think seps should be possible - its prob not going to get much attention as normally outbound rules are very few in general, and more often then not can just be left on automatic vs say a few hybrid rules for specifics like natting to a vpn interface or something.

    Feature requests should really be done on redmine and you could then link to this thread for clarification and discussion, etc.

    If you don't mind could you post up these rules so we could discuss ways to make them easier to read, etc.



  • I'd prefer to avoid posting the NAT rules to prevent disclosing anything, but I can summarize a small example. I have disabled automatic outbound NAT rules which I think is the main reason for needing so many. Additional each host needs to have each and every service white-listed. I suppose automatic outbound NAT could be used, but from a security standpoint im not to inclined to allow a free-for-all of any service simply being able to punch holes.

    For example for 3 of our IPFS nodes they have three separate NICs on our local network that have unique IP addresses. Each NIC is responsble for providing a few services:

    1. IPFS swarm ports
    2. IPFS gateway ports
    3. API ports

    that means each machine then needs a total of 3 NAT rules per port, for a total of 9 NAT rules per host. As there are three of these same hosts that means 27 NAT rules need to be allocated.

    We have a few other services like:

    • STORJ nodes
    • I2P nodes
    • Ethereum nodes
    • Monero nodes
    • Bitcoin nodes

    I'll open up a feature request on redmine and investigate jimp's comment, but it seems strange that port forwarding has separates, while outbound has none. Let me know if I can provide anymore information


  • LAYER 8 Global Moderator

    Not sure why you think these all need different outbound nats? Your machine could have 100 IPs, there only needs to be 1 outbound nat for that..

    allow a free-for-all of any service simply being able to punch holes.

    Sounds like your trying to use outbound nat vs a firewall rule.. Yeah that is NOT how you would do it!!

    If you don't want machine X to create outbound traffic, then simple 1 firewall rule would stop that. That has nothing to do with your outbound nat settings.


  • Rebel Alliance Developer Netgate

    As @johnpoz said, NAT rules are not firewall rules. You do not control what a client can or cannot do with NAT rules, only how NAT is applied.

    If traffic gets far enough through your firewall that a NAT rule controls whether or not it exits successfully, your rules are not strict enough.

    And it's not a good practice even as a "belt and suspenders" redundant approach.



  • @johnpoz I have both outbound firewall rules and NAT rules in place. What I don't want is all traffic to be eligible for NAT, and this is the only way I can think of doing it.

    @jimp as per the comment above I have both firewall and NAT rules. I don't think a fair solution is to simply blanket all traffic coming from a host as being eligible for NAT. Without NAT rules like I have, I can't see any way to avoid setting up blanket catch all rules for NAT.


  • LAYER 8 Global Moderator

    @postables said in NAT Outbound Separators (pls):

    I have both outbound firewall rules

    And again that is not how you should be doing it... You would create the rules at the interface where the Traffic enters pfsense, not after is already gone all the way through.

    Rules are evaluated as traffic enters the interface from the network its connected to.. First rule to trigger wins, no other rules are evaluated.

    Seems to me you haven't even breezed over any of the documentation..

    Outbound rules would only be needed in more odd ball setups.. If your servers are connected to LAN, then on the lan interface allow or block what you want or don't want these machines to be able to do outbound.



  • @johnpoz I misspoke, I have rules on all my interfaces (WAN, LAN, OPT1+OPT2, IPSec, and OpenVPN)

    I find it awkward that the only solution for manageable NAT rules is to blanket all traffic from hosts as being NAT'able.


  • Banned

    You need to understand that NAT is not a firewall function, it's a crutch to work around the limited IPv4 space.

    If you block traffic at the interface it enters it will never reach the NAT state, as it is stopped at the earliest moment.

    You should really learn how networking works, it will make your work much easier.


  • Rebel Alliance Developer Netgate

    You can manage NAT rules just fine when you have them setup in a logical and useful way. Your usage of outbound NAT is not.

    If you want to take a two-fold approach, then block the traffic in on the local interfaces and then block it outbound using floating rules.

    If a packet passes but does not have NAT applied, the packet still leaves! It may even make it all the way to the destination, but not receive a reply. Can you not see how that is a potentially dangerous problem?

    NAT is not a firewall or access control.



  • @grimson @jimp true it would appear then that I'm going about this the wrong way. I will re-evaluate my NAT rules and firewall configurations


Log in to reply