Trying to understand NAT with VPN

  • I setup pfSense (2.1-RELEASE (amd64)) a couple weeks back and configured the firewall as a VPN client to Private Internet Access (PIA). I did this so that all clients on my LAN are routed through the VPN. I pretty much followed this tutorial and everything is working as expected:

    Now here's the thing…although it's working, I don't understand some of the settings. Specifically with the need to change "Automatic outbound NAT" to "Manual Outbound NAT" (AON). Let me explain...

    When I have "Automatic outbound NAT" selected, the LAN traffic is correctly routed to the VPN tunnel, but it's not NAT'd to my VPN IP address as it enters the VPN tunnel. Furthermore, the VPN server is apparently not configured to NAT my LAN subnet, because it's unaware of what subnet I'm using. This makes sense and is the reason why I don't have internet access through the VPN.

    To fix, I have to NAT on my end, and this is accomplished by changing "Automatic outbound NAT" to "Manual Outbound NAT" (AON). Once this is done, I have internet access through the VPN.

    But I still want to know why I have to make this change. Why isn't my LAN automatically NAT'd when set to automatic mode?

    With "Automatic outbound NAT" selected, these are the automatic mappings created as seen in /tmp/rules.debug:

    # Subnets to NAT 
    tonatsubnets	= "{  }"
    nat on $WAN  from $tonatsubnets port 500 to any port 500 -> port 500  
    nat on $WAN  from $tonatsubnets to any -> port 1024:65535 

    After changing "Automatic outbound NAT" to "Manual Outbound NAT" (AON), these are the automatic mappings created as seen in /tmp/rules.debug:

    # Outbound NAT rules
    nat on $WAN  from to any port 500 ->  static-port
    nat on $WAN  from to any -> port 1024:65535  
    nat on $WAN  from to any -> port 1024:65535  
    nat on $PIAVPN  from to any port 500 ->  static-port
    nat on $PIAVPN  from to any -> port 1024:65535  
    nat on $PIAVPN  from to any -> port 1024:65535  

    Can anyone explain this? Why is it that the necessary NAT mappings for my VPN interface are automatically created when I select "Manual Outbound NAT" (AON) but they're not automatically created when in "Automatic outbound NAT" mode? Doesn't that seem contradictive? I don't understand the logic. As soon as I switch to "Manual outbound NAT" the mappings are automatically created for my VPN interface. I'm not defining those manually myself. So shouldn't they be automatically created in automatic mode as well?

  • That sounds like a timing bug. I am guessing that when the system first boots, the OpenVPN is not yet established, so there is no WAN-like link yet for it, and so no NAT rules to build. Then when it comes up, it gets a gateway etc, but (for whatever reason) does not get the Automatic NAT ruleset rebuilt.
    It sounds reproducible by you. And sounds like a home system. So I would first try 2.1.1-prerelease from - there have been so many "little" things fixed up in that I would try it, and then report back if the problem is fixed or not. If it is not fixed, then I think it would be worth finding the point in the code where a NAT rule rebuild needs to be triggered.

  • Thanks, Phil. I'll try your suggestion and get back to you.


  • Hi Phil. I finally spent some time looking into this again, and I'm sorry to say that 2.1.1-prerelease reproduces the same symptoms.

    Additionally, I thought I'd add another observation that exists on both 2.1-release and 2.1.1-prerelease. You indicated that this might be a timing bug when the system first boots. If this is indeed a bug, then I think it may extend a bit further. Even after the system is booted, the NAT ruleset isn't rebuilt correctly for the VPN interface under either of the following conditions:

    • If the OpenVPN client is restarted while in "Automatic outbound NAT" mode

    • When outbound NAT is switched from "Manual Outbound NAT" to "Automatic outbound NAT"

    I might be wrong, but my logic dictates that the ruleset should be rebuilt (or at least evaluated) in both of these situations.

    So how do we move on from here?

    Thank you,


  • I had a look at the code, and it is internally inconsistent. Automatic NAT does not generate rules out OpenVPN interfaces with gateways. But when you press the "Manual" button and "Save", the code there does generate manual rules for you, as you have seen.
    In the code coming for 2.2 some of this stuff has been re-engineered and it looks consistent now - but it does not generate NAT rules out OpenVPN at all - which is not quite what you may be hoping for!
    I raised a bug in Redmine -
    We will see how the devs think it should be engineered.

  • Phil,

    In a way, I have to say that this is excellent news, at least from the standpoint that it explains the situation. And honestly, my intention wasn't for NAT rules to be automatically generated. I really just wanted to understand why it automatically made the rules in manual mode and not in automatic mode. In the end, if the rules have to manually entered, then so be it. At least it would be consistent.

    So thank you again for your time and for starting a bug report. I'll keep an eye on the progress.

    Best regards,


Log in to reply