BUG: Cannot turn off NAT on WAN port

  • Hallo everybody.

    I have trouble turning off the NAT engine.


    • Automatic outbound NAT rule generation (IPsec passthrough included) deselected
    • Manual Outbound NAT rule generation (AON - Advanced Outbound NAT) SELECTED
    • all mapping ruless deleted
    • changes saved and applied according

    According to this:

    With automatic outbound NAT enabled, a mapping is automatically created for each interface's subnet (except WAN-type connections) and the rules on this page are ignored.
    If manual outbound NAT is enabled, outbound NAT rules will not be automatically generated and only the mappings you specify on this page will be used.
    If a target address other than a WAN-type interface's IP address is used, then depending on the way the WAN connection is setup, a Virtual IP may also be required.
    To completely disable outbound NAT, switch to Manual Outbound NAT then delete any NAT rules that appear in the list.

    However, I am always exposed with the WAN Interface address to the outside (still got NAT-ed).

    When I disable the firewall in the advanced settings, I am routed properly to he target with my IP address.

    As soon as I re-enable the Firewall, I get NAT-ed again.

    Seems to be a BUG in the UI (not all rules are shown) or in the description how to turn off NAT.

    Any help appreciated.


  • It works fine as described. If you have Squid enabled with transparent proxying, that will by its nature change the source IP on any proxied traffic. Otherwise you just have to do as described:

  • Thank you.

    I have not installed squid, but the HAVP service. The Proxy is set to transparent - however it seems not to be transparend, but NAT-ing.
    If I disable transparent AV scanning, the firewall routed me accordingly.

    Maybe this needs to be mentioned somewhere in the documentation.

  • Rebel Alliance Developer Netgate

    "Transparent" proxying it means transparent to the client - meaning, they don't need to change their settings.

    It does not mean it is transparent to the network.

    Anything that proxies is going to change the source address to that of the proxy (without some hacked-up Linux-proprietary tproxy mojo going on)

    That's just how proxies work by their nature. The proxy is the one requesting the pages from the servers, not the client.

Log in to reply