Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Auto Outbound Nat with VIP?

    Scheduled Pinned Locked Moved NAT
    3 Posts 3 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      oddballracing
      last edited by

      Hello,

      I have set up a CARP Virtual IP on the public (WAN) side of my pfsense cluster, and now i'm trying to setup all outbound traffic to NAT out on the VIP. I currently have 4 internal network interfaces (vlans for separate private networks with routing between set up as required). I notice when i go to set advanced outbound nat rules, i can only select one internal interface and not all interfaces. I am currently running i386 arch. of pfSense 2.0-RC3.

      My current situation is this:

      I have my domain registrar DNS information for my domains pointing to the WAN VIP (xxx.xxx.xxx.060) of the router cluster and web and mail traffic is forwarded to an internal Postfix/Apache box setup to route the mail to their respective mail servers and web to their respective web servers on the private networks (some on MSExchange, some running postfix, one Postfix/ISPConfig, Mixed IIS and apache for web). The inbound is routing as desired. When i send mail out from one of the web servers, it routes through the mail gateway and out through pfSense, only this time when it gets to an outside mail server and i check it with the mail client, the message has exited the pfSense box on the IP assigned to the physical interface of the primary router (xxx.xxx.xxx.058). I can see that this is going to cause rDNS issues and gateway mismatch for other services such as RDP if the outbound traffic is not sent from the same IP that it was recieved on. This may also end up with my addresses added to reverse dns blacklists for mail, which will not be good.

      My Question is this:

      is there a way to set the default address used for outbound NAT and still use Automatic Rule generation? Or perhaps, is there a way to set an all-encompassing rule for all internal networks to use the same external address for outbound NAT? I don't want to have to add rules for every network individually if there is a variable or setting i can change that will set the auto generated outbound rules to use the VIP and not the interface IP. I am hoping that i do not have to add a new NAT rule everytime that i provision a new network.

      Any help is greatly appreciated.

      - OddBallRacing

      1 Reply Last reply Reply Quote 0
      • M
        Metu69salemi
        last edited by

        Amount of the needed time and work of using manual outbound nat is almost surely less than writing long questions ;)

        But to the question, I don't know how the automatic outbound nat likes if someone tries to change ip of that natting. With manual you can do so much more also.

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          If you want to change anything at all with outbound NAT, you must use Manual Outbound NAT. There is no way to change any settings like that otherwise.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.