Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Manual outbound NAT: Different behaviour between 1.2-RELEASE and 1.2.3-RC1

    Scheduled Pinned Locked Moved NAT
    3 Posts 2 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      grzema
      last edited by

      Hello All,

      I have noticed a difference in behaviour when defining manual nat rules, between 1.2-RELEASE (which we were using untill recently) and 1.2.3-RC1:

      When defining a manual rule in version 1.2-RELEASE, and when leaving the port fields blank, the resulting nat rule performed NAT also for the low ports (below 1024).
      In version 1.2.3-RC1 (and probably in 1.2.2) the corresponding generated rules have a port range 1024-65535 - which does not appear anywhere in the definintion of the rule in the GUI. You can only see it from the command line:

      
      pfctl -s nat
      no nat on fxp0 inet from XXX.XXX.XXX.0/24 to YYY.YYY.YYY.0/24 port 1024:65535
      
      

      This can cause big headaches if you want to use services in the low port range. You can change this behaviour by editing the file
      /etc/inc/filter.inc. Search for "1024:65535" and change it to what suits you:

      
              /* outgoing static-port option, hamachi, Grandstream, VOIP, etc */
              if($staticnatport)
                      $staticnatport_txt = " static-port";
              else
                      if(!$natport)
                              $staticnatport_txt = " port 1:65535"; // set source port range
                      else
                              $staticnatport_txt = "";
      
              $if_friendly = convert_real_interface_to_friendly_descr($if);
      
              /* Put all the pieces together */
              if($if_friendly)
                      $natrule = "{$nat} on \${$if_friendly} from {$src} to {$dst} {$target}{$staticnatport_txt}\n";
      
              return $natrule;
      }
      
      

      Hope that helps

      1 Reply Last reply Reply Quote 0
      • I
        ISCGDave
        last edited by

        I have also upgraded from 1.2 to 1.2.3-RC1 and have encountered the same problem with outbound NAT. I have an Exchange server that was working just fine with outbound SMTP traffic mapped to a virtual IP (on the WAN interface) and after the upgrade to 1.2.3-RC1 all outbound NAT seems to use the WAN IP address no matter the setting. I did attempt to modify the file and change the port range as suggested but no joy. My exchange server is on the OPT1 interface if it makes a difference.

        Any help would be greatly appreciated as I am now experincing bounce backs because the IP address no longer matches the DNS records.

        Thanks,
        Dave

        1 Reply Last reply Reply Quote 0
        • I
          ISCGDave
          last edited by

          I was able to get this working again by changing from Automatic Outbound NAT to Manual Outbound NAT however something still seems to have changed from versions.

          Thanks,
          Dave

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.