Auto Outbound Nat with VIP?
-
Hello,
I have set up a CARP Virtual IP on the public (WAN) side of my pfsense cluster, and now i'm trying to setup all outbound traffic to NAT out on the VIP. I currently have 4 internal network interfaces (vlans for separate private networks with routing between set up as required). I notice when i go to set advanced outbound nat rules, i can only select one internal interface and not all interfaces. I am currently running i386 arch. of pfSense 2.0-RC3.
My current situation is this:
I have my domain registrar DNS information for my domains pointing to the WAN VIP (xxx.xxx.xxx.060) of the router cluster and web and mail traffic is forwarded to an internal Postfix/Apache box setup to route the mail to their respective mail servers and web to their respective web servers on the private networks (some on MSExchange, some running postfix, one Postfix/ISPConfig, Mixed IIS and apache for web). The inbound is routing as desired. When i send mail out from one of the web servers, it routes through the mail gateway and out through pfSense, only this time when it gets to an outside mail server and i check it with the mail client, the message has exited the pfSense box on the IP assigned to the physical interface of the primary router (xxx.xxx.xxx.058). I can see that this is going to cause rDNS issues and gateway mismatch for other services such as RDP if the outbound traffic is not sent from the same IP that it was recieved on. This may also end up with my addresses added to reverse dns blacklists for mail, which will not be good.
My Question is this:
is there a way to set the default address used for outbound NAT and still use Automatic Rule generation? Or perhaps, is there a way to set an all-encompassing rule for all internal networks to use the same external address for outbound NAT? I don't want to have to add rules for every network individually if there is a variable or setting i can change that will set the auto generated outbound rules to use the VIP and not the interface IP. I am hoping that i do not have to add a new NAT rule everytime that i provision a new network.
Any help is greatly appreciated.
- OddBallRacing
-
Amount of the needed time and work of using manual outbound nat is almost surely less than writing long questions ;)
But to the question, I don't know how the automatic outbound nat likes if someone tries to change ip of that natting. With manual you can do so much more also.
-
If you want to change anything at all with outbound NAT, you must use Manual Outbound NAT. There is no way to change any settings like that otherwise.