Help Cleaning Up an Outbount NAT Rule Mess
-
Hey all,
I recently configured a few new VLAN's all of which need to access the WAN. Even though I have "Manual Outbound NAT rule generation" checked, it seems like something went haywire and created a ton of outbound rules, most of which I am convinced I don't need.
There are a ton of ISAKMP rules, and rules originating from localhost IP which I am not quite sure what they do.
Between this and my rule for OpenVPN this have gotten a bit confusing.
Could anyone please do me a favor and give me a list of what all default vanilla outbound rules look like on a fresh pfSense install using IPV4 and no VLAN's?
I feel like if I have a thorough understanding of what that looks like, I can much more easily clean up this mess.
Also, does anyone know why rules are being generated while in manual mode? It seems a bit counter-intuitive, but I have probably misunderstood something.
Thanks,
Matt -
@mattlach said in Help Cleaning Up an Outbount NAT Rule Mess:
Also, does anyone know why rules are being generated while in manual mode?
They wouldn't be - but would happen is if you switch from auto to manual all the rules would be converted from the auto rules to manual rules.
Why are you using manual? There is almost zero reason to use manual, especially if you are not up to speed on what rules you would actually need.
I would suggest you delete all the rules and switch back to auto. If you need need to make adjustments, switch to hybrid mode..
-
@johnpoz said in Help Cleaning Up an Outbount NAT Rule Mess:
Why are you using manual? There is almost zero reason to use manual, especially if you are not up to speed on what rules you would actually need.
I'm a bit of a layman, not an expert, but enough of a power user that I figure I can learn what I need to know with a little help from the community forums.
I have my pfSense router route most of my traffic through a remote VPN, so I needed to create an outbound rule for the OpenVPN connection, and it has been in manual mode ever since.
I feel fairly certain that if I deleted the rules and went automatic, I'd break my OpenVPN configuration, and I'd prefer not to do that. (I could back up the config and try it, and see what happens, but I am reluctant to go offline right now)
@johnpoz said in Help Cleaning Up an Outbount NAT Rule Mess:
They wouldn't be - but would happen is if you switch from auto to manual all the rules would be converted from the auto rules to manual rules.
There are definitely a bunch of Outbound NAT rules here related to the VLAN's and associated networks I just created a couple of hours ago, and it's been in manual mode for years.
I feel like if I had a view of what the vanilla rules looked like on a fresh install, I could easily figure out which belong and which don't and clean it up.
-
@mattlach said in Help Cleaning Up an Outbount NAT Rule Mess:
needed to create an outbound rule for the OpenVPN connection
All you need for that is hybrid rule.
Well post them up and can take a look... But again you sure do not need manual to do outbound natting for a vpn..
example there is mine - see the one outbound for ns1vpn - that nats traffic out a vpn when setup the policy route.
-
@johnpoz said in Help Cleaning Up an Outbount NAT Rule Mess:
@mattlach said in Help Cleaning Up an Outbount NAT Rule Mess:
needed to create an outbound rule for the OpenVPN connection
All you need for that is hybrid rule.
Well post them up and can take a look... But again you sure do not need manual to do outbound natting for a vpn..
example there is mine - see the one outbound for ns1vpn - that nats traffic out a vpn when setup the policy route.
Thank you.
Hmm.
If I just switch back to hybrid, will it sort out all of the auto rules, or do I need to delete everything first?
I'm guessing I could delete all rules except the one I created for OpenVPN, and then switch it to hybrid and hit apply?
Is that the approach you would take?
I'm not in a production system, but between all of us working from home and the kids being home, it sometimes feels like it. I can save my current config (which works, but is ugly) later tonight and try going to hybrid mode...
I can always restore if it doesn't work.
-
Yeah that should work - worse case just take a screenshot ;) Then you can always look to see how your outbound nat for vpn is setup.. But they are pretty easy to just create on the fly if goes away.
Hybrid is just cleaner to look at for starters ;) vs all those individual manual ones ;)
-
@johnpoz said in Help Cleaning Up an Outbount NAT Rule Mess:
Yeah that should work - worse case just take a screenshot ;) Then you can always look to see how your outbound nat for vpn is setup.. But they are pretty easy to just create on the fly if goes away.
Hybrid is just cleaner to look at for starters ;) vs all those individual manual ones ;)
OK. Just to be clear, do you suggest I delete the manual rules first, then switch to Hybrid, or just switch to hybrid and see what happens?
Again, appreciate all the help.
-
When you switch to auto or hybrid your manual rules will be left there I believe... I would take a screen shot of say your vpn one.. And then just delete them all set to auto.. Let create all the auto rules, then switch it to hybrid and create your outbound nat for your vpn.
-
@johnpoz said in Help Cleaning Up an Outbount NAT Rule Mess:
When you switch to auto or hybrid your manual rules will be left there I believe... I would take a screen shot of say your vpn one.. And then just delete them all set to auto.. Let create all the auto rules, then switch it to hybrid and create your outbound nat for your vpn.
Thansk so much for all your help.
I did as suggested.
1.) Save config backup just in case.
2.) Screenshot Outgoing NAT VPN Rule
3.) Delete all Outgoing NAT rules
4.) Switch to Automatic, and hit save.
5.) Switch to hybrid, and hit save.
6.) Recreate Outgoing NAT rule for VPN from screenshot.
Everything appears to be working perfectly, and is much cleaner now.
Thank you!
-
Your more than welcome - glad you got it sorted how you wanted.
