Enabled Manual Outbound NAT rule generation, sites not working?

  • Hello guru's

    I seem to have an issue and i believe it is related to me enabling Manual Outbound NAT rule generation, but i could be wrong.

    I had to use this to get my PBX working so it went out on the same Virtual IP it came in on.

    Now i have noticed several hosted sites i have stopped working, pages don't load and i get 504 gateway timeouts. These sites were working fine prior to me switching to Manual outbound nat.

    In some cases i created outbound NAT rules to have data go out over the same Virtual IP it came in on, but in 1 case this doesn't seem to be working so far.

    Are there any "default" outbound nat rules i should have in my list? It was empty when i enabled Manual mode.

  • do rules in Manual Outbound NAT go in order like most other rule areas in PFSense?

  • Rebel Alliance Developer Netgate

    Yes, they are processed from the top-down, first match wins.

    If you want to go back to the "default" rules, switch to automatic outbound NAT, save, then delete all of the rules, then switch back to manual and save.

    If you made your own outbound NAT rule for the PBX to do "static port", make sure that rule is restricted to only a source of your PBX and only for UDP traffic.

  • Thanks Jimp,

    looks like some of the issues yesterday could of been ISP related, as i had disabled Manual yesterday, then re-enabled it mid day and so far all sites have been working fine but the ISP has an older cisco in our office as trunk since we have multiple ranges, they had said resource usage was high yesterday, maybe dropping packets.

    when i do the rules for manual nat i am doing the source as ex. , making sure to lock it down to that IP.

    now i have noticed, for servers, 2 specifically, that don't have a manual outbound nat rule, they are not getting DNS resolution it seems, as if there is no outbound rule for it to just go out over the default gateway / firewall IP…

  • just had another system,

    i hadn't made an outbound nat rule for it, and it would not connect to anything outside, i then did a manual outbound nat rule and it works.

    my concern now is what about systems that are behind the default firewall IP… they do not seem to be able to hit anything outside... as if they are looking for an outbound route but dont have one..

  • Rebel Alliance Developer Netgate

    The kind of behavior you describe sounds like what happens when someone mistakenly adds or selects a gateway on a local interface.

    First, make sure that under Interfaces > WAN and Interfaces >LAN, etc, that you only have a gateway chosen on the WAN type interface(s).

    You can define LAN-side gateways for other routers, but you do not need nor want a gateway defined on the LAN interface or for any IP address actually on the firewall.

  • here is my LAN config:

    here is my WAN config:

    So, something else i could have set incorrectly?

    i do have

    Block private networks

    Block bogon networks

    enabled on the LAN..

  • Still stuck on this, i have to add some new servers but i cant even run yum update because it cant get a connection out….i have no outbound firewall rules to block anything either.

  • Rebel Alliance Developer Netgate

    Not enough detail there to speculate, but it would appear as though it should work so long as you are on Automatic Outbound NAT. If you're on manual you'll need to add rules to cover the new subnet(s).

    You can look at the generated list of NAT networks in Automatic Outbound NAT by going to Diag > Tables and looking at "tonatsubnets", if it doesn't show there, look in /tmp/rules.debug

  • Will take a look at that area, thanks

    i guess it seems the main LAN subnet, it does not let me choose the interface for the main WAN IP i have assigned in my pfsense box, i can only choose Virtual IP's added into the system

  • nothing under Diag > Tables  tonat….

    so going to check the other file.

  • @SysIT:

    i do have

    Block private networks

    Block bogon networks

    enabled on the LAN..

    Enabled on the LAN, you say? Not WAN?

Log in to reply