"Manual outbout NAT rule generation" rule question

ace

We have 4 interfaces on the pfsense boxes:

1. WAN
2. LAN
3. STAGE LAN
4. XOVER (pfsync).

When we select the radio buttong for "Manual outbout NAT rule generation" it only generates a rule for the WAN with the source being the LAN network.

Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port
WAN  10.9.32.0/24     *         *         *                 *                 *              NO

Sureley the source should be "*", or at least both the the LAN network and the STAGE LAN network (and all network underneath these two - in a muti tier network architecture, the top LAN tier being the DMZ, and APP/DB teirs firewalled underneath it).

Also, surely the default rule should have had the NAT address set to the WAN IP?  Obviosly, it needs to be changed to the CARPed WAN ip.

SeventhSon

The standard wouldn't have the NAT set because of PRB/LB I would say. And you wouldn't want it to generate a NAT rule for a LAN interface, that would be weird…

I think once you start with multiple LAN/WAN you would have to go the manual way and put the subnets in yourself. Otherwise, we need an option on each interface to tell us if it's WAN or LAN.

podilarius

In 2.0.1 and 2.1, if you have interfaces setup with a manual address, then pfsense will create a manual rule for them when switching from auto, the first time you do it. From then on you have to create your own rules.

If you are running clustered firewalls, then you most definitely want it using the CARP addresses. Nothing should be using the physical address except for the localhost (127.0.0.1).