Nat mapping too much to cause leak ?
-
Hi i did check several vpn client setup and there's not 1 same way for the Nat mapping. While it do work in hybrid and manual : i would like to know what is best for the manual rule.
Currently i did hit copy button on the 6 rule and set my interface. Now having 12rules, the order is not change and all work. My vpninterface with source of the Pfsense (192.168.70.1) is at bottom. But while i do read the rule of the 'static port 500' and the '1/128' can be remove... i not sure what is better or : is my current setup can cause a leak or so ?
or put only :
intf: wan/ sr 127.0.0.0/8 * * wan
intf: vpninterface/ sr 127.0.0.0/8 * * vpnintf
intf: vpninterface/ sr 192.168.70.0/24 * * vpnintfThanks
-
@docop2
You should learn, what the outbound NAT does. Then you can decide yourself which rule you're needing.The outbound NAT, also known as masquerading is needed for traffic which is going out of your local network area.
IP packets contain a source and a destination address in their header to let the routers know, how to forward the packets and the destination device, how to respond back.
So when a PC in your LAN (e.g. 192.168.70.10) access an interface resource (e.g. 1.1.1.1), 192.168.70.10 is the source address in the packets header and 1.1.1.1 the destination address. But 192.168.70.10 is not routed in the internet like all other RFC 1918 networks aren't. Now when this packet is sent out to the internet, the outbound NAT comes into play. It translates the origin source address into your WAN address. So 1.1.1.1 would see your WAN IP as source and send its responses back to it with your WAN IP as destination in the header. pfSense recieves it and determines on bases of its state table, where the packet belongs to and translates the destination IP into 192.168.70.10 and forwards the packet to your PC.If you send out traffic over a VPN service it is also needed to translate source IPs, but into the vpn interface IP, so that the vpn server can send responses back to you.
pfSense generats outbound NAT rules automatically for all your internal subnets (sources) defined you interface and for outgoing interfaces which has a gateway defined. Additionally it generates rules for 127.0.0.0/8 which is used by itself.
The port 500 for ISAKMP has to be static (no port change) for correct function, therefor pfSense generats a separate rule for it. But I assume you won't need this protocol to send over your VPN, so there will no rule be needed for that.In the outbound NAT rule the major optiones are:
Interface - the outgoing interface
source - the source of the traffic (e.g. LAN net)
destination - of the packet (can mostly be any, but you may specify)
translation address - mostly the interface address is desired, other may be needed when having VIPs on the outgoing interface -
@viragomann Thanks for the explanation. appreciated.