Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Automatic Outbound NAT CLeanup

    Scheduled Pinned Locked Moved NAT
    6 Posts 5 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gmcclung
      last edited by

      Hello All,

      Did not see this posted anywhere under th NAT area of the forum so if this was already answered then I apologize.

      I am running pfsense 2.2.2 and was just made aware that the automatic outbound NAT rule with the description of "Auto created rule for ISAKMP" was applied during an IPSEC VPN attempt, I have since moved away fro IPSEC VPN's and would like to clean up or remove this rule.

      I have disabled all the IPSEC VPN's that have been turned on rebotted and cannot seem to find a way to clean this up.

      Any suggestions on how to fix this?

      1 Reply Last reply Reply Quote 0
      • M
        mwhitcomb7
        last edited by

        Hi

        You could go to Firewall NAT Outbound tab and change automatic NAT to Manual then create the rules you want.

        Cheers

        1 Reply Last reply Reply Quote 0
        • D
          doktornotor Banned
          last edited by

          There is nothing to fix. If you don't want the automated VPN rules, then disable them in System -> Advanced -> Firewall and NAT -> Disable Auto-added VPN rules

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            Those have nothing to do with your IPsec. Those are the defaults to avoid breaking non-NAT-T IPsec clients behind the firewall. Best to just ignore them, or switch to manual outbound NAT if you must.

            1 Reply Last reply Reply Quote 0
            • G
              gmcclung
              last edited by

              Thanks for all the help and suggestions,

              doktornotor
              Did not know this was an option, "Disable Auto-added VPN rules" good to know.

              cmb
              I do not have any IPSEC clients behind the firewall.

              Even if I do go to manual outbound NAT which really was not my intention and go back to Automatic Outbound NAT they are still listed.
              Just trying to keep things clean and tight do not want to give anyone a option to find a hole in a service I am no longer using.

              Was hoping there was some kind of clean up command that I did not know about, Will just have to be more aware the next time I rebuild.

              Thanks

              1 Reply Last reply Reply Quote 0
              • P
                phil.davis
                last edited by

                Even if I do go to manual outbound NAT which really was not my intention and go back to Automatic Outbound NAT they are still listed.

                When you switch back to Automatic then automatic does what it is supposed to do - it automatically puts these NAT rules in place. That does not create any security hole - they re just helper rules for client app. That is not where the pass/block decision is made.
                If, for example, you do not want to allow clients to do anything to port 500 then you can use a firewall rule block that on LAN interfaces.

                As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.