1. Home
  2. pfSense® Software
  3. NAT
  4. [BUG] Disabled Outbound NAT entry does not appear grayed out

[BUG] Disabled Outbound NAT entry does not appear grayed out

  • L

    For normal NAT rules and FW rules, if you disable the rule, the entry in the list appears as grayed out by changing the text to gray. This is not the case with Outbound NAT rules. In order to see if the rule is disabled, you must click to edit and look at the check box at the top. Please fix this issue to be consistent with other "disabled" behaviors.

    0
  • C

    It's not possible to disable outbound NAT entries at this time. Guessing you're referring to "do not NAT", that doesn't disable the rule, it doesn't NAT on that rule. It's correct as is.

    0
  • L

    I guess I don't understand the difference between "Do not NAT" and "Disable NAT rule". Either terminology still sounds like the rule will not be implemented.

    0
  • jimp
    Rebel Alliance Developer Netgate

    "Do not NAT" is an exception to the other rules.
    "Disable" would make the rule inactive.

    Do not NAT on WAN from x.x.x.Z/32 to any
    NAT on WAN from x.x.x.0/24 to any

    That would do NAT for all items in x.x.x.0/24 except for x.x.x.Z which would not get NAT applied.

    If the rule were disabled, it would fall through to the second rule and still get NAT, which is not what was desired there.

    Eventually there should be a "disable" checkbox on that screen too but it doesn't exist yet (I thought there was a feature request ticket open for that already).

    0
  • L

    @jimp:

    "Do not NAT" is an exception to the other rules.
    "Disable" would make the rule inactive.

    Do not NAT on WAN from x.x.x.Z/32 to any
    NAT on WAN from x.x.x.0/24 to any

    That would do NAT for all items in x.x.x.0/24 except for x.x.x.Z which would not get NAT applied.

    If the rule were disabled, it would fall through to the second rule and still get NAT, which is not what was desired there.

    Eventually there should be a "disable" checkbox on that screen too but it doesn't exist yet (I thought there was a feature request ticket open for that already).

    Ahhhh. Now I understand (lightbulb!). So if my default Outbound NAT is x.x.x.0/24 with the "Do not NAT" on x.x.x.25/32, then I wonder what x.x.x.25 will get NAT-ed to and if outbound traffic will work properly (I'm not wanting to test on a live server). Will the outbound IP be x.x.x.25?

    0
  • jimp
    Rebel Alliance Developer Netgate

    If no NAT is applied, the source address is left alone.

    Most people would never need such a rule, but there are some out there that do. It's sometimes more useful to "do not nat" based on the destination rather than the source.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy