Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Outbound NAT - Newbie Question

    Scheduled Pinned Locked Moved NAT
    12 Posts 5 Posters 3.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fraggle
      last edited by

      .version 2 question:

      I have multiple IPs from my ISP (leased line connection)

      I've give the wan interface the first IP xxx.xxx.xxx.182 All functions as I would expect

      I've created an IP alias xxx.xxx.xxx.183 and I forward port 25 from the alias to the internal mail server (there is also a rule that prevents anything other than the internal mail server from sending out anything on port 25) All functions fine.

      I want to send outbound port 25 traffic (from the internal mail server) on the IP alias xxx.xxx.xxx.183. On the NAT tab I've done the outbound rule, but no matter what I do the traffic from the internal mail server always goes out on the WAN interface xxx.xxx.xxx.182

      What am I doing wrong?

      Apologies in advance  if a) the question is stupid & b) theres not enough info.

      1 Reply Last reply Reply Quote 0
      • N
        Nachtfalke
        last edited by

        Could you post a screenshot of your firewall rules and your outbound NAT rules, please ?

        1 Reply Last reply Reply Quote 0
        • F
          fraggle
          last edited by

          thanks for the reply…

          Firewall-LAN.jpg
          Firewall-LAN.jpg_thumb
          Firewall-WAN.jpg
          Firewall-WAN.jpg_thumb
          NAT-In.jpg
          NAT-In.jpg_thumb
          Nat-out.jpg
          Nat-out.jpg_thumb

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            You have to be on manual outbound NAT, if you aren't already. Can't tell from the screenshots.

            Also, the source port shouldn't be 25, it should be 'any'.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • J
              jmcvay
              last edited by

              Fraggle,

              Did you resolve your issue? I have an interface dedicated for Wireless Traffic, and would like to route that traffic out of a different WAN IP than our LAN uses and have been looking for solutions. Single WAN, multiple addresses though.

              Using pfSense 2.0-RC1 with AON

              1 Reply Last reply Reply Quote 0
              • S
                stony999
                last edited by

                I have the same problem.

                I have IPs from my ISP starting from xxx.xxx.xxx.186 to xxx.xxx.xxx.190. The IP adresses xxx.xxx.xxx.187 - xxx.xxx.xxx.190 are defined as virtual IPs.
                I have created 2 outbound NAT rules in order to have all SIP traffic from 2 IPs in the LAN routed via the external IP xxx.xxx.xxx.189. However this traffic is still going via xxx.xxx.xxx.186.
                I also created another rule which generally sets the outgoing IP for all traffic from the LAN (192.168.178.0/24) via xxx.xxx.xxx.187. However even this traffic is still going via xxx.xxx.xxx.186.
                I cross-checked the traffic on another external server. The sending IP is in fact xxx.xxx.xxx.186.

                So outgoing IP mapping does not seem to work on my machine on virtual WAN IPs. (incoming NAT is no problem by the way)

                Anybody has a hint how to solve this?

                pfsense_outg-nat.png
                pfsense_outg-nat.png_thumb

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  If outbound NAT isn't working like you expect, odds are that the rules are not matching like you expect them to. Try changing the last rule to a VIP and see if it catches it.

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • S
                    stony999
                    last edited by

                    The IP (xxx.xxx.xxx.187) in the last rule in fact is a VIP. I did this for testing, to see if it generally works.
                    But the outgoing IP is always xxx.xxx.xxx.186.

                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      Switch back to automatic outbound NAT, and then back to Manual, and clean up the extra rules that come back, and try it again.

                      Also, make sure you are on a current snapshot (From July 11 or newer)

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • S
                        stony999
                        last edited by

                        The system is on Pfsense 1.2.3

                        1 Reply Last reply Reply Quote 0
                        • jimpJ
                          jimp Rebel Alliance Developer Netgate
                          last edited by

                          Sorry, got you confused with the previous poster in the thread that said they were on 2.0, and you didn't specify. Same advice still applies.

                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                          Need help fast? Netgate Global Support!

                          Do not Chat/PM for help!

                          1 Reply Last reply Reply Quote 0
                          • S
                            stony999
                            last edited by

                            I did as you proposed:

                            • Automatic outbound NAT rule generation (IPsec passthrough)
                            • Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))
                            • then I deleted the additional rule which was added
                            • so I am at the state again as in the screenshot above

                            But outgoing traffic is still on xxx.xxx.xxx.186 and not on the virtual IP.

                            For 1.2.3 there isn't a snapshot available, right?

                            Maybe I should mention that pfsense is running inside a KVM container with PromoxVE.
                            Therefore I did a ngrep on the traffic on all interfaces of the physical hosts (physical IF and bridged IF). But outgoing traffic is always on xxx.xxx.xxx.186 on all interfaces. So pfsense seems not to try to assign the VIP.
                            Incoming traffic on VIPs xxx.xxx.xxx.187-190 works nicely.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.