Outbound NAT - Newbie Question

  • .version 2 question:

    I have multiple IPs from my ISP (leased line connection)

    I've give the wan interface the first IP xxx.xxx.xxx.182 All functions as I would expect

    I've created an IP alias xxx.xxx.xxx.183 and I forward port 25 from the alias to the internal mail server (there is also a rule that prevents anything other than the internal mail server from sending out anything on port 25) All functions fine.

    I want to send outbound port 25 traffic (from the internal mail server) on the IP alias xxx.xxx.xxx.183. On the NAT tab I've done the outbound rule, but no matter what I do the traffic from the internal mail server always goes out on the WAN interface xxx.xxx.xxx.182

    What am I doing wrong?

    Apologies in advance  if a) the question is stupid & b) theres not enough info.

  • Could you post a screenshot of your firewall rules and your outbound NAT rules, please ?

  • thanks for the reply…

  • Rebel Alliance Developer Netgate

    You have to be on manual outbound NAT, if you aren't already. Can't tell from the screenshots.

    Also, the source port shouldn't be 25, it should be 'any'.

  • Fraggle,

    Did you resolve your issue? I have an interface dedicated for Wireless Traffic, and would like to route that traffic out of a different WAN IP than our LAN uses and have been looking for solutions. Single WAN, multiple addresses though.

    Using pfSense 2.0-RC1 with AON

  • I have the same problem.

    I have IPs from my ISP starting from xxx.xxx.xxx.186 to xxx.xxx.xxx.190. The IP adresses xxx.xxx.xxx.187 - xxx.xxx.xxx.190 are defined as virtual IPs.
    I have created 2 outbound NAT rules in order to have all SIP traffic from 2 IPs in the LAN routed via the external IP xxx.xxx.xxx.189. However this traffic is still going via xxx.xxx.xxx.186.
    I also created another rule which generally sets the outgoing IP for all traffic from the LAN ( via xxx.xxx.xxx.187. However even this traffic is still going via xxx.xxx.xxx.186.
    I cross-checked the traffic on another external server. The sending IP is in fact xxx.xxx.xxx.186.

    So outgoing IP mapping does not seem to work on my machine on virtual WAN IPs. (incoming NAT is no problem by the way)

    Anybody has a hint how to solve this?

  • Rebel Alliance Developer Netgate

    If outbound NAT isn't working like you expect, odds are that the rules are not matching like you expect them to. Try changing the last rule to a VIP and see if it catches it.

  • The IP (xxx.xxx.xxx.187) in the last rule in fact is a VIP. I did this for testing, to see if it generally works.
    But the outgoing IP is always xxx.xxx.xxx.186.

  • Rebel Alliance Developer Netgate

    Switch back to automatic outbound NAT, and then back to Manual, and clean up the extra rules that come back, and try it again.

    Also, make sure you are on a current snapshot (From July 11 or newer)

  • The system is on Pfsense 1.2.3

  • Rebel Alliance Developer Netgate

    Sorry, got you confused with the previous poster in the thread that said they were on 2.0, and you didn't specify. Same advice still applies.

  • I did as you proposed:

    • Automatic outbound NAT rule generation (IPsec passthrough)
    • Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))
    • then I deleted the additional rule which was added
    • so I am at the state again as in the screenshot above

    But outgoing traffic is still on xxx.xxx.xxx.186 and not on the virtual IP.

    For 1.2.3 there isn't a snapshot available, right?

    Maybe I should mention that pfsense is running inside a KVM container with PromoxVE.
    Therefore I did a ngrep on the traffic on all interfaces of the physical hosts (physical IF and bridged IF). But outgoing traffic is always on xxx.xxx.xxx.186 on all interfaces. So pfsense seems not to try to assign the VIP.
    Incoming traffic on VIPs xxx.xxx.xxx.187-190 works nicely.

Log in to reply