How can I see the Outbound NAT rules that are automatically created?



  • I have set up an OpenVPN-Server on pfSense and almost everything works fine exept for the fact that Roadwarriors do not have access to the internet via the VPN-Tunnel. They can use my LAN-Ressources but they cannot connect to any internet site neither by names nor by ip-addresses (so it is no DNS problem).

    I have found out that this has to do with the Settings in Firewall > NAT > Outbound.

    When I choose "Automatic outbound NAT rule generation" it solves the issue and the connected OpenVPN-Clients can surf the Internet via the VPN-Tunnel.

    But for some reasons I have to use "Manual Outbound NAT rule generation".  The problem is that I cannot figure out what rule I have to create that allows remotely connected OpenVPN-clients connected to my pfSense box to use my WAN connection in order to surf the internet.

    So my questions are:

    1. Is there a way I can see what rules are automatically created when "Automatic outbound NAT rule generation"  is active?

    2. Or can you give me hints what rule(s) I have to create for outbound NAT to solve my problem?

    :) Seems that I just found it out myself: I added an outbound NAT-rule for the WAN interface with 10.8.0.0/24 (this is my tunnel network) as source with the WAN Address as NAT Address and now my roadwarriors can surf through the tunnel. I am quite sure that I tested this rule a hundred times before without any success. But now it works. Very strange…


  • Rebel Alliance Developer Netgate

    For others that are curious, while you're on Automatic Outbound NAT, you can see the automatic rules using Diagnostics > Command:

    grep tonatsubnets /tmp/rules.debug
    

    On pfSense 2.2 the automatic rules are listed even when you're in automatic mode so that won't be necessary.