understanding the importance of NAT ordering

meem

Under what circumstances, if any, could traffic go out via another interface if the firewall rule sends it out via a specific gw or gw group?

TL;DR: Where I have a rule on a VLAN to only send traffic via a single gateway... can it still, in fact, go out via another interface because of the final any source NAT mapping that I have?

Longer version: Hi all, I've read the manual and the order of priority - I just wanted to confirm my understanding of the importance of NAT ordering.

I have firewall rules on most VLANS to send traffic via different gateway groups (mostly openvpn connections)... e.g vlan10 -> gg1
vlan20 -> gg2
vlan30 -> gg3
But some vlans only direct traffic across a specific gateway.

My NAT mappings are very liberal... e.g I have a mapping from network -> interface, but then I have some "source any" mappings for the vpn interfaces, and the final mapping is WAN from anywhere.

WAN 	any 	* 	* 	* 	WAN address 	* 		wan any any 	

Thanks!

johnpoz

Here this should help

https://docs.netgate.com/pfsense/en/latest/nat/process-order.html

Outbound nats are evaluated after the firewall rule... I think the confusion comes up when users think nat is evaluated first before firewall rules. -- which is true in the case of port forwards or 1:1 nats, etc.

If you have a firewall rule that forces traffic out a gateway.. The nat will be evaluated after that - top down looking for the nat to apply to that traffic.. But the decision for what interface to send it out of has already been made.. So no outbound nat could not change what gateway that traffic would use.