Concerns about automatic outbound NAT rule generation



  • Hello pfSense forum,
    I am worried about the automatically generated rules for outbound NAT regarding IPSec passthrough and the other two.
    As I don't need any VPN service on the pfSense box, I want to disable the IPsec passthrough.

    So, do I just switch to Manual Outbound NAT rule generation and delete the first rule and there isn't a passthrough anymore?
    The reason for my concern is, that a passthrough bypasses NAT. Is this is correct?
    Isn't this the same as forwarding a port and thus a threat, when running a pfSense device with the default "Automatic outbound NAT rule generation"?

    Also, what do the other two rules do, as they look dangerous and intimidating to my beginner eyes.

    | Interface | Source | Source port | Destination | Destination port | NAT address | NAT port | Static port | Description |
    | WAN | 192.168.56.0/24 | * | * | 500 | WAN address | * | YES | Auto created rule for ISAKMP - LAN to WAN |
    | WAN | 192.168.56.0/24 | * | * | * | WAN address | * | NO | Auto created rule for LAN to WAN |
    | WAN | 127.0.0.0/8 | * | * | * | WAN address | 1024:65535 | NO | Auto created rule for localhost to WAN |

    Or from the /tmp/rules.debug file:

    
    # Outbound NAT rules
    nat on $WAN  from 192.168.56.0/24 to any port 500 -> 192.168.1.194/32  static-port
    nat on $WAN  from 192.168.56.0/24 to any -> 192.168.1.194/32 port 1024:65535  
    nat on $WAN  from 127.0.0.0/8 to any -> 192.168.1.194/32 port 1024:65535
    
    

  • LAYER 8 Global Moderator

    "The reason for my concern is, that a passthrough bypasses NAT. Is this is correct?"

    Uhh - NO.. That rule just says do not change the source port if dest port is 500.

    Here
    https://doc.pfsense.org/index.php/Static_Port

    As to the other rules.. They are what do the nat.. 2nd line says hey if your coming from the 192.168.56.0/24 network going out the WAN port, NAT the IP to the Wan address.

    3rd line is the loopback, ie processes on pfsense that might go to the internet out the wan, again change its IP to the wan address.  Kind of clearly says that right ther in the description.

    To be honest, beginner eyes should just leave it on AUTO ;)  You put it to manual your going to break something most likely and then blame it on pfsense ;)

    Common issue people change it to manual, then add another interface/network and can not figure out why they can't get to the internet.. Well you told pfsense you were smart enough to handle creation of nat rules is why ;)



  • @johnpoz:

    "The reason for my concern is, that a passthrough bypasses NAT. Is this is correct?"

    Uhh - NO.. That rule just says do not change the source port if dest port is 500.

    From the following wikipedia entry I can gather that IKE must be enabled in order to traverse NAT, thus bypassing it: IPsec traversal accross NAT
    On this documentation page, it says that port 500 has to be forwarded, if applied to a double NAT situation.

    Also, the automatic outbound NAT rule generation only says, that the IPsec passthrough rule is included, not enabled.

    My point here is, that I want to know if pfSense is doing NAT traversal on port 500 with the default configuration and I would be glad if you could explain this specific rule in detail.


  • LAYER 8 Global Moderator

    Dude are you creating ipsec tunnels from a box inside your network to a ipsec server outside your network?  If so all that rule does is tell pfsense NOT to randomly pick some source port but to keep it at 500..  That is ALL it does.

    If you do not use ipsec from behind pfsense you have no use for that rule - delete it if you want.. is an OUTBOUND rule has nothing to do with inbound anything..  Only thing it says if connection outbound from something from behind pfsense on that network uses a source port of 500, don't change it.. There is NO security issues with it.



  • As for using IPsec tunnels, no I don't use any.

    So, now to absolutely clarify this:
    As you mentioned, there is no security issue with it. The port 500 rule is nothing like a port forward or NAT-traversal rule, right?
    It basically just checks not to change the port from 500 to anything else, when something uses this port?


  • LAYER 8 Global Moderator

    If anything uses a source port of 500??  Why would anything else use it?  But no it would not be changed..  Pfsense has no clue to what would be using the port - the rule only says hey if source is 500, use 500 not some random port - ie static!

    But what would use it other than an ipsec tunnel?  Its a privileged port, ie below 1024.. Its not a ephemeral port



  • First of all, thanks yet again!

    Now, one last question.
    If I were to switch from the automatic outbound rule generation to manual and therefore exposing the three mentioned rules, deleting the port 500 rule and then changing the setting back to AON.

    Does the AON then properly include new rules or will there be any conflicts with the 2 shown rules and new rules not shown in the webGUI?


  • LAYER 8 Global Moderator

    If you switch back to automatic, then the rules are automatic and those rules don't mean anything that are listed from my understanding.

    If you don't want the ipsec rule in there which I can not fathom why anyone would care??  Then switch to manual and delete it and stay on manual.

    The only time outbound nat rules would be be automatically created is if you created new interfaces, say a openvpn server or added a vlan or another lan interface, etc..  Or if you changed the network that was on any of your lan interfaces.

    If all you have is your one lan interface/network and it does not change then it makes little difference if your on automatic or manual.  Just that if your manual and you change something any outbound rules that might be needed to allow that new network to work would not be auto created is all.

    You do understand you are making something of nothing - that outbound rule is not a security issue in any way shape or form..  Its not even used unless you create a oubound connection using a source port of 500.  And all that is says if you do - don't randomly changed it to say 1714 but leave it at 500..



  • That sums it all up.

    John, I want to thank you for all your help. You were very patient with any of my questions, no matter how basic they were.
    I hope you keep on doing this great community work and helping people, new or not new, with pfSense.

    Without your assistance I wouldn't be able to get all those questions answered.

    So, yes again. Thank you very much!


Log in to reply