Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    "Manual outbout NAT rule generation" rule question

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    3 Posts 3 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      ace
      last edited by

      We have 4 interfaces on the pfsense boxes:

      1. WAN
      2. LAN
      3. STAGE LAN
      4. XOVER (pfsync).

      When we select the radio buttong for "Manual outbout NAT rule generation" it only generates a rule for the WAN with the source being the LAN network.

      Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port
      WAN  10.9.32.0/24     *         *         *                 *                 *              NO

      Sureley the source should be "*", or at least both the the LAN network and the STAGE LAN network (and all network underneath these two - in a muti tier network architecture, the top LAN tier being the DMZ, and APP/DB teirs firewalled underneath it).

      Also, surely the default rule should have had the NAT address set to the WAN IP?  Obviosly, it needs to be changed to the CARPed WAN ip.

      1 Reply Last reply Reply Quote 0
      • S
        SeventhSon
        last edited by

        The standard wouldn't have the NAT set because of PRB/LB I would say. And you wouldn't want it to generate a NAT rule for a LAN interface, that would be weird…

        I think once you start with multiple LAN/WAN you would have to go the manual way and put the subnets in yourself. Otherwise, we need an option on each interface to tell us if it's WAN or LAN.

        1 Reply Last reply Reply Quote 0
        • P
          podilarius
          last edited by

          In 2.0.1 and 2.1, if you have interfaces setup with a manual address, then pfsense will create a manual rule for them when switching from auto, the first time you do it. From then on you have to create your own rules.

          If you are running clustered firewalls, then you most definitely want it using the CARP addresses. Nothing should be using the physical address except for the localhost (127.0.0.1).

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.