Outbound NAT not working for OPT interfaces



  • Hello,

    It has taken about three years for me to manage to get pfsense installed, but I have finally managed it. Unfortunately, I cannot get it setup now.

    I have 4 NICs on a mini-itx server and the LAN to WAN interface connection is working fine. However, the optional two interfaces just do not let anything through.

    Outbound NAT has been set as follows:

    Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description
    WAN  192.168.32.0/24 * * * WAN address * NO Auto created rule for LAN to WAN
    WAN  192.168.38.0/24 * * * WAN address * NO Auto created rule for WIFI to WAN
    WAN  192.168.40.0/24 * * * WAN address * NO Auto created rule for OPT2 to WAN
    WAN  127.0.0.0/8 * * * WAN address 1024:65535 NO

    and the firewall rules are as follows for each of these subnets:

    Proto Source Port Destination Port Gateway Queue Schedule Description
    IPv4 * LAN net * * * * none
    IPv4 * WIFI net * * * * none
    IPv4 * OPT2 net * * * * none

    The interfaces are all up and I can ping then from the pfsense ssh connection

    Could someone pleaase tell me what I have missed?



  • Just to make sure, which tab did you pull those firewall rules from?



  • The rules are applied to the correct interface

    I have even added individual rules from the system firewall logs and played with the ordering of the rules on each interface, but traffic is still blocked. I just cannot make sense of this.

    All the interfaces are setup the same with private network addresses allowed.



  • Ok, so then just so we're clear, you added the following lines manually to your post and they are not all on the LAN interface correct?:

    Proto  Source  Port  Destination  Port  Gateway  Queue  Schedule  Description
    IPv4 *    LAN net    *    *    *    *    none
    IPv4 *    WIFI net    *    *    *    *    none
    IPv4 *    OPT2 net    *    *    *    *    none

    Let's get traffic flowing first, then worry about restricting access later.  Set your LAN, WIFI and OPT2 to any/any.  i.e. your LAN should have an anti-lockout rule plus an any/any, the other two should have just any/any.  Then reset your states and report back.

    If you can, post a screen shot of your blocks and your routing table.



  • All the firewall rules have been applied to the correct interfaces. I have used Monowall for years so I us understand the basics of this.

    Traffic follows from the LAN (192.168.32.1) to the WAN (192.168.24.254) without issue, but the WIFI or OPT to WAN is a no go.

    I have the basic allow everything to everything on the LAN, WIFI and OPT iterfaces. I am not trying to restrict anything at this stage I am just trying so see if i can get some traffic move thhrough each interface (as you are suggesting). I only added the auto add rules as I am at a loss the know why this does not work.

    All the interfaces are up and shown the correct ip and they must be working because the logs show my ping, dns, ssh, http etc connections are being blocked. I just cannot work out why they are being blocks as everything is allowed!!!



  • Post a pic of the blocks.



  • Not everything shows as being blocked. I can see in /var/log/filter.log a dig google.com is getting blocked:

    Oct 20 16:29:41 gateway pf: 00:00:03.003187 rule 3/0(match): block in on em0: (tos 0x0, ttl 64, id 63826, offset 0, flags [DF], proto UDP (17), length 96)
    Oct 20 16:29:41 gateway pf:    192.168.40.2.33249 > 192.168.40.1.53: 33813+ A? safebrowsing.clients.google.com.googlespy.co.uk. (68)






  • I have discovered option 10 on the ssh login menu and everything does seem to be getting blocked regardless of the allow anything rule that has been set.

    The block private networks setting on the OPT interface in question has been tried checked as well as uncheck and it did not make any difference (it has been left unchecked again now). Resetting the states also did resolve anything.

    I am running out of ideas now!


  • Banned

    I think he meant the networks blocks and not the firewall blocks….. ;)



  • :o

    WAN 192.168.24.254 (192.168.24.0/24) gw address 192.168.24.1
    LAN 192.168.32.1  (192.168.32.0/24)
    WIFI 192.168.38.1  (192.168.38.0/24)
    OPT 192.168.40.1  (192.168.40.0/24)


  • Banned

    And then you post the pictures of all outbound NAT rules ;)



  • The outbound nat rules are as listed in one of my earlier posts. I am not at work anymore so I will post a screen shot in the morning showing that this is the case. I deleted the outbound nat rules before i reset the states. So after switching to auto and then back to manual outbound rules there were a couple of additional rules added that do not randomise ports during NAT. The auto generated rules were also /32 for the opt interfaces so I changed these to a /24 for the opt interface subnets.

    Essentially outbound  NAT is still as my earlier post.  :-\



  • Also the blocks from your screenshot are coming from the "PCI" interface, which you say is OPT2.  Post the firewall rules from all your interfaces.



  • I have referred to one of the interfaces as OPT to make the post easier to understand. The two optional interfaces are actually named WIFI and PCI.

    The interfaces have been set with these names from the begining. I renamed them as soon as I logged in to the wui.

    The rules for each interface are set exactly as I have mentioned above. The only difference between the rules on the LAN interface and the OPT1/OPT2 or PCI/WIFI interfaces is that the LAN has the anti lock out rule and an ipv6      allow everything everywhere outbound rule. On the OPT1/OPT2 or the PCI/WIFI interfaces I have only added ipv4 rules the that should be allowing everything everywhere outbound. I will post images in the morning.

    I have also been wondering if the IP address settings on each interface might be incorrect. I think I may have given the OPT1/OPT2 or PCI/WIFI interfaces a 192.168.38.1/32  and a 192.168.40.1/32 IP address/addresses. I might try a /24 on these interfaces in the morning as well!



  • Ahhh… yes.... if you gave them a /32 that may be your issue, but we'll see when you check tomorrow.



  • pfSense is up and running fine now. The /32 setting on the OPT interfaces was the issue!!! A simple balls up that had me completely lost until I had a brain wave last night.

    I should have guessed this earlier really. When the outbound NAT rules were autogenerated I kept changing them to NAT the whole subnet rather than just the interface address!!!

    This is the issue when you use a forum to ask for help you know you will ultimately look like a numpty when your error is found! Thanks for your assistance anyway it helped me think things through until I realised what the problem was.


Log in to reply