Can someone please explain the default NAT Rules & VPN NATing questions



  • When I go from automatic NAT to manuel, it makes the following rules by default

    Interface:  WAN
    Source: 127.0.0.0/8
    Port: 500
    NAT Addresses: WAN Address
    Static Port: Yes

    Interface:  WAN
    Source: 127.0.0.0/8
    Port: *
    NAT Addresses: WAN Address
    Static Port: No

    Interface:  WAN
    Source: xxx.xxx.xxx.xxx/24
    Port: 500
    NAT Addresses: WAN Address
    Static Port: Yes

    Interface:  WAN
    Source: xxx.xxx.xxx.xxx/24
    Port: *
    NAT Addresses: WAN Address
    Static Port: No

    a) Is there a reason for 2) and 4) to have static port set to No?

    b)  Is there a reason home is put above the LAN address?

    c)  VPNs require a rule like this:

    Interface: VPN
    Source: xxx.xxx.xxx.xxx/24
    Port: *
    NAT Addresses: VPN Address
    Static Port: No

    Do VPNs also need a rule like this as well?

    Interface: VPN
    Source: 127.0.0.0/8
    Port: *
    NAT Addresses: VPN Address
    Static Port: No

    d)  Do VPNs need that Port 500 static port rule duplicated as well for both 127.0.0.0/8 & xxx.xxx.xxx.xxx/24  ?


  • Netgate

    @Ryu945:

    When I go from automatic NAT to manuel, it makes the following rules by default

    Interface:  WAN
    Source: 127.0.0.0/8
    Port: 500
    NAT Addresses: WAN Address
    Static Port: Yes

    Interface:  WAN
    Source: 127.0.0.0/8
    Port: *
    NAT Addresses: WAN Address
    Static Port: No

    Interface:  WAN
    Source: xxx.xxx.xxx.xxx/24
    Port: 500
    NAT Addresses: WAN Address
    Static Port: Yes

    Interface:  WAN
    Source: xxx.xxx.xxx.xxx/24
    Port: *
    NAT Addresses: WAN Address
    Static Port: No

    Why are you obfuscating your private IP addresses? All that does is hinder our ability to understand your network and help you.

    a) Is there a reason for 2) and 4) to have static port set to No?

    Because, in general, the source port doesn't have to be static.  It helps with outbound IPSec pass-through which is what the other rules (matching only source port 500) are for.

    b)  Is there a reason home is put above the LAN address?

    Huh?

    c)  VPNs require a rule like this:

    Interface: VPN
    Source: xxx.xxx.xxx.xxx/24
    Port: *
    NAT Addresses: VPN Address
    Static Port: No

    To accomplish what?

    Do VPNs also need a rule like this as well?

    Interface: VPN
    Source: 127.0.0.0/8
    Port: *
    NAT Addresses: VPN Address
    Static Port: No

    Again, what are you trying to accomplish?  What kind of VPN? What are you trying to do?

    d)  Do VPNs need that Port 500 static port rule duplicated as well for both 127.0.0.0/8 & xxx.xxx.xxx.xxx/24  ?

    If you are trying to translate outgoing IPSec sessions over the VPN, probably.

    You need to understand what the outbound rules are saying:

    Interface:  WAN

    When you (pfSense) have a packet going OUT the WAN interface (This is a packet that has already been passed by the firewall and is simply on its way out the specified interface.)

    Source: xxx.xxx.xxx.xxx/24

    And the source address matches this

    Port: *

    And the source port is any

    NAT Addresses: WAN Address

    Translate the source address (xxx.xxx.xxx.xxx/24) to the address of the WAN interface on it's way out.

    Static Port: No

    And feel free to translate the source port to something you have available if you want.



  • To clear up the earlier question.

    b)  Is there a reason the WAN rule for 127.0.0.0/8 is above the rule for  xxx.xxx.xxx.xxx/24  in the NAT rule listing?

    c)  OpenVPNs require a rule like this:

    Interface: VPN
    Source: xxx.xxx.xxx.xxx/24
    Port: *
    NAT Addresses: VPN Address
    Static Port: No

    so that the OpenVPNs operate at all.  Without that rule, the OpenVPN will not function.  My question is:

    Do OpenVPNs also need a rule like this as well?

    Interface: VPN
    Source: 127.0.0.0/8
    Port: *
    NAT Addresses: VPN Address
    Static Port: No

    d)  Is there any downside to putting everything through static port?


  • Rebel Alliance Global Moderator

    "d)  Is there any downside to putting everything through static port?"

    Yeah.. You have multiple devices behind pfsense do you not..  So client 1 goes to pfsense.org:80 from his random source port of say 42103… So say 192.168.1.100:42103

    pfsense using napt creates the connection from publicIP:port to pfsense.org:80

    So if always used static and pfsense used same source port as your client so you had publicIP:42103, what if client 2 or 3 or 14 wants to talk to say facebook.com:80 and it just happens to use that same source port 42103 -- how does pfsense maintain both connections?  192.168.1.122:42103 It can't!!!

    Now if you had only 1 client behind your nat wouldn't be an issue because well clients not going to use the same source port to connect to different places.  But the more clients you have behind pfsense the more likely it is that would run into issues with clients using the same source port in a conversation to the public..  So your going to break shit if you try and force all ports to static.

    And since machines to when started start at the beginning of the range and not some random part of their Ephemeral port range - while different versions of OS have altered what range they use, etc.. if you had a bunch of window 7 machines that all use the same range and you rebooted them say in the morning everyone turned on their machines - you would have a shit storm of why does internet work and then not work and then work why is it SLOW, etc. etc. etc.. And connections were attempted with the same ports and pfsense set to use static couldn't make those connections.