Outbound NAT - am I missing something here?



  • So I'm not sure I'm understanding how manual outbound NAT actually works. I've gotten it to work for a few hosts (after much trial and error, and only after using the opposite WAN connection that I would expect it to need. Then later, switching it to the correct one still worked).

    My configuration is attached. Apparently I'm completely lost in how this is supposed to work.

    So let's say I want to have the 192.168.122.0/23 network go out through the WAN_GUEST interface, and everything else out of WAN. How would I configure outbound NAT? Keep in mind I've tried it with and without the WAN rule for 192.168.122.0/23, with the same result (which would be it going out of the WAN interface until I switch my default gateway to WAN_GUEST).



  • The outbound NAT only tells the system under what conditions to do NAT on packets/flows. It does not actually change the routing of packets. As well as having NAT rules to apply NAT on the way out to the public internet for packets with private IPs, you need firewall rules with the gateway specified to direct particular stuff to particular WANs.

    Also, if all your internal private subnets are LANs direct-connected to pfSense, and all your public WANs are also direct-connected, then Automatic Outbound NAT should be fine - pfSense knows all about the traffic that could need NAT and can sort it out.



  • Unfortunately due to some poor design decisions made before I arrived, certain servers need to go out via certain virtual IPs, so manual outbound NAT is a requirement in my case.

    @phil.davis:

    As well as having NAT rules to apply NAT on the way out to the public internet for packets with private IPs, you need firewall rules with the gateway specified to direct particular stuff to particular WANs.

    That completely answered my question, thank you very much for the help!


Log in to reply