Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT Inbound Does Not Create Outbound Rule

    Scheduled Pinned Locked Moved NAT
    11 Posts 3 Posters 979 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • pitchforkP
      pitchfork
      last edited by pitchfork

      I created a NAT rule for a single port:

      alt text

      So that inbound requests on the .203 public IP on this specific port get sent to the 10.10.10.103 LAN address.

      But the outbound rule did not get created, and if I use a service to get my public IP inside the .103 container I do not get the .203 public IP

      Do I need to use NAT reflection or ... ?

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by Derelict

        Port forwards are for connections coming inbound

        Outbound NAT rules are for connections going outbound.

        Set hybrid mode in Firewall > NAT, Outbound and make a rule matching the traffic based on whatever criteria works for you (source address, dest address/port, etc) and set the desired WAN address as the NAT address there.

        1:1 NAT would automatically do both but it's a bigger hammer and affects all ports unless excluded by specific port forwards, etc.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        pitchforkP 1 Reply Last reply Reply Quote 1
        • pitchforkP
          pitchfork @Derelict
          last edited by

          Thanks, @Derelict.

          I could set it to hybrid and create a manual outbound rule, but shouldn't it work (create a rule) when in the default mode?

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by Derelict

            Shouldn't what work if you create a rule where in what default mode?

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            pitchforkP 1 Reply Last reply Reply Quote 0
            • pitchforkP
              pitchfork @Derelict
              last edited by

              @Derelict If I create an inbound NAT rule, and Outbound NAT is set to Auto/Default mode, shouldn't a matching Outbound rule be created for the Inbound rule?

              DerelictD 1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by johnpoz

                If you create a port forward using a vip as the destination, the return traffic would be returned using that IP.. But unsolicited traffic going out from your lan would use the ip based upon the outbound rules.. No your outbound automatic rules are not going to be adjusted based upon a single port forward.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 1
                • pitchforkP
                  pitchfork
                  last edited by

                  @johnpoz thanks. I switched to hybrid mode and I created a manual rule.

                  let me explain in more detail what I am trying to accomplish

                  I have a /29 from the host. pfsense (a proxmox guest) is on the .202.
                  I want to use .203 thru .206 for containers.

                  The container on 10.10.10.103 should accept incoming requests from the internet on port 9000.
                  This container also makes requests to other hosts on the internet on destination port 9000.
                  I need this container's outbound requests to go out via public IP .203. This public IP will be shared with other containers, but none will use port 9000.

                  I would also like to have this container request from 80 and 443 using .203. any other requests can be via the default IP (.202)

                  The port alias is set to 80,443,9000.
                  For .203, i created a VIP https://i.imgur.com/DCQbiXx.png
                  Then a port forward rule https://i.imgur.com/JHwPM1o.png (with an auto created WAN FW rule)
                  with an outbound NAT (set to hybrid mode): https://i.imgur.com/vw5IzA1.png

                  I've tried different configs (incl 'other' and 'ip alias' for the vip) but I either get out via .202 (curl ifconfig.co) or I can't get out at all.
                  What I am missing here?!

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by Derelict

                    Are the containers on a bridge that sits behind pfsense? Is the pfSense inside interface the default gateway for these containers?

                    If so, you have two choices:

                    1:1 NAT

                    Make an IP Alias VIP on the pfSense WAN for .203/32
                    Make a 1:1 NAT entry for .203 on the outside and 10.10.10.103 on the inside.
                    Make firewall rules that pass the desired traffic on the desired ports to 10.10.10.103
                    With 1:1 NAT, outbound NAT will be automatic and, by default, all connections made to the outside will be sourced from .203

                    Port forwarding:

                    Make an IP Alias VIP on the pfSense WAN for .203/32
                    Make port forward rules for the desired ports
                    Be sure you have firewall rules on WAN passing the desired ports to 10.10.10.103. The port forward entry can automatically make these rules (recommended).
                    With port forwards, outbound NAT is not automatic (because it deals only with inbound connections) so you also have to make an outbound NAT rule telling pfSense to NAT all connections coming from source 10.10.10.103 to .206.

                    That's all there is to it. Not sure what the stumbling block is.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    pitchforkP 1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate @pitchfork
                      last edited by

                      @pitchfork said in NAT Inbound Does Not Create Outbound Rule:

                      @Derelict If I create an inbound NAT rule, and Outbound NAT is set to Auto/Default mode, shouldn't a matching Outbound rule be created for the Inbound rule?

                      No.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • pitchforkP
                        pitchfork @Derelict
                        last edited by

                        Thanks @Derelict! pfsense is the default gateway and the containers are on a bridge to vmbr1 (proxmox LAN )/vtnet1 (pfsense LAN)

                        i got it to work now. nothing changed except that I restarted the entire machine. does adding virtual IPs require a pfsense or proxmox restart?

                        1 Reply Last reply Reply Quote 0
                        • DerelictD
                          Derelict LAYER 8 Netgate
                          last edited by

                          @pitchfork said in NAT Inbound Does Not Create Outbound Rule:

                          does adding virtual IPs require a pfsense or proxmox restart?

                          No.

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 1
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.