Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Outbound NAT is not enforced for the FW

    Scheduled Pinned Locked Moved NAT
    1 Posts 1 Posters 253 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fredlubrano
      last edited by

      Hi,

      The Outbound NAT is not enforcing for the FW, instead of having my public @ip, I have 0.0.0.0.

      My test is to do since my pfsense 2.4.4-RELEASE-p2 an nslookup :

      [2.4.4-RELEASE][admin@pf-msclab1.msc.lab]/root: nslookup
      > server 8.8.8.8
      Default server: 8.8.8.8
      Address: 8.8.8.8#53
      > yahoo.fr
      ;; connection timed out; no servers could be reached
      > yahoo.fr
      ;; connection timed out; no servers could be reached
      
      

      the source address is 0.0.0.0 instead of 212.129.XX.XX :

      [2.4.4-RELEASE][root@pf-msclab1.msc.lab]/root: tcpdump -nni vmx0 host 8.8.8.8 and not icmp
      tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
      listening on vmx0, link-type EN10MB (Ethernet), capture size 262144 bytes
      13:49:04.349084 IP 0.0.0.0.64958 > 8.8.8.8.53: 3921+ A? yahoo.fr. (26)
      13:49:11.874178 IP 0.0.0.0.33334 > 8.8.8.8.53: 9973+ A? yahoo.fr. (26)
      13:49:16.962297 IP 0.0.0.0.33334 > 8.8.8.8.53: 9973+ A? yahoo.fr. (26)
      

      Here is my Nat table :

      [2.4.4-RELEASE][admin@pf-msclab1.msc.lab]/root:  grep tonatsubnets /tmp/rules.debug
      table <tonatsubnets> { 127.0.0.0/8 ::1/128 172.31.10.0/24 10.89.255.13/32 10.90.254.100/32 10.60.10.0/24 10.60.3.0/24 10.60.1.0/24 10.60.2.0/24 10.60.5.0/24 10.60.4.0/24 10.60.6.0/24 10.88.114.32/28 10.200.140.0/24 10.8.222.2 }
      nat on $WAN inet from <tonatsubnets> to any port 500 -> 212.129.XX.XX/32  static-port
      nat on $WAN inet6 from <tonatsubnets> to any port 500 -> 2001:xxx:xxxx:100::1/128  static-port
      nat on $WAN inet from <tonatsubnets> to any -> 212.129.XX.XX/32 port 1024:65535
      nat on $WAN inet6 from <tonatsubnets> to any -> 2001:xxx:xxxx:100::1/128 port 1024:65535
      [2.4.4-RELEASE][admin@pf-msclab1.msc.lab]/root: pfctl -sa | grep ^nat
      nat-anchor "natearly/*" all
      nat-anchor "natrules/*" all
      nat on vmx9.2003 inet from any to 10.60.3.65 -> 10.60.3.254 port 1024:65535
      nat on vmx9.2004 inet from any to 10.60.1.96 -> 10.60.1.254 port 1024:65535
      nat on vmx9.2004 inet from any to 10.60.1.42 -> 10.60.1.254 port 1024:65535
      nat on vmx9.2004 inet from any to 10.60.1.107 -> 10.60.1.254 port 1024:65535
      nat on vmx9.2004 inet from any to 10.60.1.121 -> 10.60.1.254 port 1024:65535
      nat on vmx9.2003 inet from any to 10.60.3.96 -> 10.60.3.254 port 1024:65535
      nat on vmx9.2003 inet from any to 10.60.3.30 -> 10.60.3.254 port 1024:65535
      nat on vmx9.2002 inet from 10.60.1.0/24 to 10.90.254.100 -> 10.88.114.34 port 1024:65535
      nat on vmx9.2002 inet from 10.60.1.0/24 to 10.89.255.13 -> 10.88.114.34 port 1024:65535
      nat on vmx0 inet from <tonatsubnets> to any port = isakmp -> 212.129.XX.XX static-port
      nat on vmx0 inet6 from <tonatsubnets> to any port = isakmp -> 2001:xxx:xxxx:100::1 static-port
      nat on vmx0 inet from <tonatsubnets> to any -> 212.129.XX.XX port 1024:65535
      nat on vmx0 inet6 from <tonatsubnets> to any -> 2001:xxx:xxxx:100::1 port 1024:65535
      [2.4.4-RELEASE][admin@pf-msclab1.msc.lab]/root: pfctl -t tonatsubnets -T show
         10.8.222.2
         10.60.1.0/24
         10.60.2.0/24
         10.60.3.0/24
         10.60.4.0/24
         10.60.5.0/24
         10.60.6.0/24
         10.60.10.0/24
         10.88.114.32/28
         10.89.255.13
         10.90.254.100
         10.200.140.0/24
         127.0.0.0/8
         172.31.10.0/24
         ::1
         
      [2.4.4-RELEASE][admin@pf-msclab1.msc.lab]/root: ifconfig vmx0
      vmx0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
      	options=60009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
      	ether 00:50:56:01:78:9a
      	hwaddr 00:50:56:01:78:9a
      	inet6 fe80::250:56ff:fe01:789a%vmx0 prefixlen 64 scopeid 0x1
      	inet6 2001:xxx:xxxx:100::1 prefixlen 128
      	inet 212.129.xx.xx netmask 0xffffffff broadcast 212.129.xx.xx
      	nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
      	media: Ethernet autoselect
      	status: active
         
      [2.4.4-RELEASE][admin@pf-msclab1.msc.lab]/root: netstat -nr4
      Routing tables
      
      Internet:
      Destination        Gateway            Flags     Netif Expire
      default            62.210.0.1         UGS        vmx0
      9.9.9.9            62.210.0.1         UGHS       vmx0
      10.8.222.1         link#23            UHS         lo0
      10.8.222.2         link#23            UH     ipsec300
      10.60.1.0/24       link#20            U      vmx9.200
      10.60.1.254        link#20            UHS         lo0
      10.60.2.0/24       link#19            U      vmx9.200
      10.60.2.254        link#19            UHS         lo0
      10.60.3.0/24       link#21            U      vmx9.200
      10.60.3.254        link#21            UHS         lo0
      10.60.4.0/24       link#18            U      vmx9.200
      10.60.4.254        link#18            UHS         lo0
      10.60.5.0/24       link#16            U      vmx9.200
      10.60.5.254        link#16            UHS         lo0
      10.60.6.0/24       link#17            U      vmx9.200
      10.60.6.254        link#17            UHS         lo0
      10.60.10.0/24      link#22            U      vmx9.201
      10.60.10.254       link#22            UHS         lo0
      10.88.114.32/28    link#15            U      vmx9.200
      10.88.114.34       link#15            UHS         lo0
      10.89.255.13/32    10.88.114.33       UGS    vmx9.200
      10.90.254.100/32   10.88.114.33       UGS    vmx9.200
      10.200.140.0/24    link#2             U          vmx1
      10.200.140.1       link#2             UHS         lo0
      37.71.xx.xx        62.210.0.1         UGHS       vmx0
      37.71.xx.xx        62.210.0.1         UGHS       vmx0
      62.210.xx.xx       00:50:56:01:78:9a  UHS        vmx0
      62.210.xx.xx       62.210.0.1         UGHS       vmx0
      86.194.xx.xx       62.210.0.1         UGHS       vmx0
      91.243.xx.xx       62.210.0.1         UGHS       vmx0
      91.243.xx.xx       62.210.0.1         UGHS       vmx0
      127.0.0.1          link#12            UH          lo0
      149.112.xx.xx      62.210.0.1         UGHS       vmx0
      172.31.10.0/24     10.8.222.2         UGS    ipsec300
      212.129.xx.xx      62.210.0.1         UGHS       vmx0
      212.129.xx.xx      link#1             UHS         lo0
      212.129.xx.xx/32   link#1             U          vmx0
      

      Thanks for the help

      fred

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.