[pfSense] Outbound NAT

Ugo Bellavance ugob at lubik.ca
Fri May 4 13:41:39 EDT 2012


I'm still planning the Checkpoint -> pfSense migration, and I'm now at 
the Outbound NAT part.  In our current Checkpoint, every single NAT is 
manually defined.  It is a bit cumbersome and I doubt this adds to 
security because we have a default deny rules everywhere, ingress/egress.

What are the best practices for Outbound NAT? I have one WAN and 9 
networks on the LAN side.  Within most of my LAN networks, I don't NAT, 
but I do NAT with one of them.  I also need to NAT to go out on the 
internet, via WAN.  So, basically, I need Outbound NAT for WAN and for 
this one network that I need to NAT.

One of my question is: should I leave Automatic outbound NAT rule 
generation or use Manual rules.  From what I can see, the automatic 
rules are only to access the internet, which is fine because I'll only 
allow what I want with firewall rules.  No matter if I go automatic or 
not, I'll need a few rules that I can create for my LAN network that 
needs NAT.

Just thinking aloud, but I'd be glad to know if my thinking sounds right.



More information about the List mailing list