[pfSense] Outbound NAT

Ugo Bellavance ugob at lubik.ca
Fri May 4 13:41:39 EDT 2012


Hi,

I'm still planning the Checkpoint -> pfSense migration, and I'm now at 
the Outbound NAT part.  In our current Checkpoint, every single NAT is 
manually defined.  It is a bit cumbersome and I doubt this adds to 
security because we have a default deny rules everywhere, ingress/egress.

What are the best practices for Outbound NAT? I have one WAN and 9 
networks on the LAN side.  Within most of my LAN networks, I don't NAT, 
but I do NAT with one of them.  I also need to NAT to go out on the 
internet, via WAN.  So, basically, I need Outbound NAT for WAN and for 
this one network that I need to NAT.

One of my question is: should I leave Automatic outbound NAT rule 
generation or use Manual rules.  From what I can see, the automatic 
rules are only to access the internet, which is fine because I'll only 
allow what I want with firewall rules.  No matter if I go automatic or 
not, I'll need a few rules that I can create for my LAN network that 
needs NAT.

Just thinking aloud, but I'd be glad to know if my thinking sounds right.

Thanks,

Ugo



More information about the List mailing list