NAT Inbound Does Not Create Outbound Rule

pitchfork

I created a NAT rule for a single port:

So that inbound requests on the .203 public IP on this specific port get sent to the 10.10.10.103 LAN address.

But the outbound rule did not get created, and if I use a service to get my public IP inside the .103 container I do not get the .203 public IP

Do I need to use NAT reflection or ... ?

Derelict

Port forwards are for connections coming inbound

Outbound NAT rules are for connections going outbound.

Set hybrid mode in Firewall > NAT, Outbound and make a rule matching the traffic based on whatever criteria works for you (source address, dest address/port, etc) and set the desired WAN address as the NAT address there.

1:1 NAT would automatically do both but it's a bigger hammer and affects all ports unless excluded by specific port forwards, etc.

pitchfork

Thanks, @Derelict.

I could set it to hybrid and create a manual outbound rule, but shouldn't it work (create a rule) when in the default mode?

Derelict

Shouldn't what work if you create a rule where in what default mode?

pitchfork

@Derelict If I create an inbound NAT rule, and Outbound NAT is set to Auto/Default mode, shouldn't a matching Outbound rule be created for the Inbound rule?

johnpoz

If you create a port forward using a vip as the destination, the return traffic would be returned using that IP.. But unsolicited traffic going out from your lan would use the ip based upon the outbound rules.. No your outbound automatic rules are not going to be adjusted based upon a single port forward.

pitchfork

@johnpoz thanks. I switched to hybrid mode and I created a manual rule.

let me explain in more detail what I am trying to accomplish

I have a /29 from the host. pfsense (a proxmox guest) is on the .202.
I want to use .203 thru .206 for containers.

The container on 10.10.10.103 should accept incoming requests from the internet on port 9000.
This container also makes requests to other hosts on the internet on destination port 9000.
I need this container's outbound requests to go out via public IP .203. This public IP will be shared with other containers, but none will use port 9000.

I would also like to have this container request from 80 and 443 using .203. any other requests can be via the default IP (.202)

The port alias is set to 80,443,9000.
For .203, i created a VIP https://i.imgur.com/DCQbiXx.png
Then a port forward rule https://i.imgur.com/JHwPM1o.png (with an auto created WAN FW rule)
with an outbound NAT (set to hybrid mode): https://i.imgur.com/vw5IzA1.png

I've tried different configs (incl 'other' and 'ip alias' for the vip) but I either get out via .202 (curl ifconfig.co) or I can't get out at all.
What I am missing here?!

Derelict

Are the containers on a bridge that sits behind pfsense? Is the pfSense inside interface the default gateway for these containers?

If so, you have two choices:

1:1 NAT

Make an IP Alias VIP on the pfSense WAN for .203/32
Make a 1:1 NAT entry for .203 on the outside and 10.10.10.103 on the inside.
Make firewall rules that pass the desired traffic on the desired ports to 10.10.10.103
With 1:1 NAT, outbound NAT will be automatic and, by default, all connections made to the outside will be sourced from .203

Port forwarding:

Make an IP Alias VIP on the pfSense WAN for .203/32
Make port forward rules for the desired ports
Be sure you have firewall rules on WAN passing the desired ports to 10.10.10.103. The port forward entry can automatically make these rules (recommended).
With port forwards, outbound NAT is not automatic (because it deals only with inbound connections) so you also have to make an outbound NAT rule telling pfSense to NAT all connections coming from source 10.10.10.103 to .206.

That's all there is to it. Not sure what the stumbling block is.

Derelict

@pitchfork said in NAT Inbound Does Not Create Outbound Rule:

@Derelict If I create an inbound NAT rule, and Outbound NAT is set to Auto/Default mode, shouldn't a matching Outbound rule be created for the Inbound rule?

No.

pitchfork

Thanks @Derelict! pfsense is the default gateway and the containers are on a bridge to vmbr1 (proxmox LAN )/vtnet1 (pfsense LAN)

i got it to work now. nothing changed except that I restarted the entire machine. does adding virtual IPs require a pfsense or proxmox restart?

Derelict

@pitchfork said in NAT Inbound Does Not Create Outbound Rule:

does adding virtual IPs require a pfsense or proxmox restart?

No.