Outbound NAT is not enforced for the FW

fredlubrano

Hi,

The Outbound NAT is not enforcing for the FW, instead of having my public @ip, I have 0.0.0.0.

My test is to do since my pfsense 2.4.4-RELEASE-p2 an nslookup :

[2.4.4-RELEASE][admin@pf-msclab1.msc.lab]/root: nslookup
> server 8.8.8.8
Default server: 8.8.8.8
Address: 8.8.8.8#53
> yahoo.fr
;; connection timed out; no servers could be reached
> yahoo.fr
;; connection timed out; no servers could be reached

the source address is 0.0.0.0 instead of 212.129.XX.XX :

[2.4.4-RELEASE][root@pf-msclab1.msc.lab]/root: tcpdump -nni vmx0 host 8.8.8.8 and not icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vmx0, link-type EN10MB (Ethernet), capture size 262144 bytes
13:49:04.349084 IP 0.0.0.0.64958 > 8.8.8.8.53: 3921+ A? yahoo.fr. (26)
13:49:11.874178 IP 0.0.0.0.33334 > 8.8.8.8.53: 9973+ A? yahoo.fr. (26)
13:49:16.962297 IP 0.0.0.0.33334 > 8.8.8.8.53: 9973+ A? yahoo.fr. (26)

Here is my Nat table :

[2.4.4-RELEASE][admin@pf-msclab1.msc.lab]/root:  grep tonatsubnets /tmp/rules.debug
table <tonatsubnets> { 127.0.0.0/8 ::1/128 172.31.10.0/24 10.89.255.13/32 10.90.254.100/32 10.60.10.0/24 10.60.3.0/24 10.60.1.0/24 10.60.2.0/24 10.60.5.0/24 10.60.4.0/24 10.60.6.0/24 10.88.114.32/28 10.200.140.0/24 10.8.222.2 }
nat on $WAN inet from <tonatsubnets> to any port 500 -> 212.129.XX.XX/32  static-port
nat on $WAN inet6 from <tonatsubnets> to any port 500 -> 2001:xxx:xxxx:100::1/128  static-port
nat on $WAN inet from <tonatsubnets> to any -> 212.129.XX.XX/32 port 1024:65535
nat on $WAN inet6 from <tonatsubnets> to any -> 2001:xxx:xxxx:100::1/128 port 1024:65535
[2.4.4-RELEASE][admin@pf-msclab1.msc.lab]/root: pfctl -sa | grep ^nat
nat-anchor "natearly/*" all
nat-anchor "natrules/*" all
nat on vmx9.2003 inet from any to 10.60.3.65 -> 10.60.3.254 port 1024:65535
nat on vmx9.2004 inet from any to 10.60.1.96 -> 10.60.1.254 port 1024:65535
nat on vmx9.2004 inet from any to 10.60.1.42 -> 10.60.1.254 port 1024:65535
nat on vmx9.2004 inet from any to 10.60.1.107 -> 10.60.1.254 port 1024:65535
nat on vmx9.2004 inet from any to 10.60.1.121 -> 10.60.1.254 port 1024:65535
nat on vmx9.2003 inet from any to 10.60.3.96 -> 10.60.3.254 port 1024:65535
nat on vmx9.2003 inet from any to 10.60.3.30 -> 10.60.3.254 port 1024:65535
nat on vmx9.2002 inet from 10.60.1.0/24 to 10.90.254.100 -> 10.88.114.34 port 1024:65535
nat on vmx9.2002 inet from 10.60.1.0/24 to 10.89.255.13 -> 10.88.114.34 port 1024:65535
nat on vmx0 inet from <tonatsubnets> to any port = isakmp -> 212.129.XX.XX static-port
nat on vmx0 inet6 from <tonatsubnets> to any port = isakmp -> 2001:xxx:xxxx:100::1 static-port
nat on vmx0 inet from <tonatsubnets> to any -> 212.129.XX.XX port 1024:65535
nat on vmx0 inet6 from <tonatsubnets> to any -> 2001:xxx:xxxx:100::1 port 1024:65535
[2.4.4-RELEASE][admin@pf-msclab1.msc.lab]/root: pfctl -t tonatsubnets -T show
   10.8.222.2
   10.60.1.0/24
   10.60.2.0/24
   10.60.3.0/24
   10.60.4.0/24
   10.60.5.0/24
   10.60.6.0/24
   10.60.10.0/24
   10.88.114.32/28
   10.89.255.13
   10.90.254.100
   10.200.140.0/24
   127.0.0.0/8
   172.31.10.0/24
   ::1
   
[2.4.4-RELEASE][admin@pf-msclab1.msc.lab]/root: ifconfig vmx0
vmx0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=60009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
	ether 00:50:56:01:78:9a
	hwaddr 00:50:56:01:78:9a
	inet6 fe80::250:56ff:fe01:789a%vmx0 prefixlen 64 scopeid 0x1
	inet6 2001:xxx:xxxx:100::1 prefixlen 128
	inet 212.129.xx.xx netmask 0xffffffff broadcast 212.129.xx.xx
	nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
	media: Ethernet autoselect
	status: active
   
[2.4.4-RELEASE][admin@pf-msclab1.msc.lab]/root: netstat -nr4
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            62.210.0.1         UGS        vmx0
9.9.9.9            62.210.0.1         UGHS       vmx0
10.8.222.1         link#23            UHS         lo0
10.8.222.2         link#23            UH     ipsec300
10.60.1.0/24       link#20            U      vmx9.200
10.60.1.254        link#20            UHS         lo0
10.60.2.0/24       link#19            U      vmx9.200
10.60.2.254        link#19            UHS         lo0
10.60.3.0/24       link#21            U      vmx9.200
10.60.3.254        link#21            UHS         lo0
10.60.4.0/24       link#18            U      vmx9.200
10.60.4.254        link#18            UHS         lo0
10.60.5.0/24       link#16            U      vmx9.200
10.60.5.254        link#16            UHS         lo0
10.60.6.0/24       link#17            U      vmx9.200
10.60.6.254        link#17            UHS         lo0
10.60.10.0/24      link#22            U      vmx9.201
10.60.10.254       link#22            UHS         lo0
10.88.114.32/28    link#15            U      vmx9.200
10.88.114.34       link#15            UHS         lo0
10.89.255.13/32    10.88.114.33       UGS    vmx9.200
10.90.254.100/32   10.88.114.33       UGS    vmx9.200
10.200.140.0/24    link#2             U          vmx1
10.200.140.1       link#2             UHS         lo0
37.71.xx.xx        62.210.0.1         UGHS       vmx0
37.71.xx.xx        62.210.0.1         UGHS       vmx0
62.210.xx.xx       00:50:56:01:78:9a  UHS        vmx0
62.210.xx.xx       62.210.0.1         UGHS       vmx0
86.194.xx.xx       62.210.0.1         UGHS       vmx0
91.243.xx.xx       62.210.0.1         UGHS       vmx0
91.243.xx.xx       62.210.0.1         UGHS       vmx0
127.0.0.1          link#12            UH          lo0
149.112.xx.xx      62.210.0.1         UGHS       vmx0
172.31.10.0/24     10.8.222.2         UGS    ipsec300
212.129.xx.xx      62.210.0.1         UGHS       vmx0
212.129.xx.xx      link#1             UHS         lo0
212.129.xx.xx/32   link#1             U          vmx0

Thanks for the help

fred