[pfSense] Outbound NAT
moshe at ymkatz.net
Mon May 7 14:54:06 EDT 2012
On Mon, May 7, 2012 at 2:15 PM, Ugo Bellavance <ugob at lubik.ca> wrote:
> On 2012-05-04 13:41, Ugo Bellavance wrote:
>> I'm still planning the Checkpoint -> pfSense migration, and I'm now at
>> the Outbound NAT part. In our current Checkpoint, every single NAT is
>> manually defined. It is a bit cumbersome and I doubt this adds to
>> security because we have a default deny rules everywhere, ingress/egress.
>> What are the best practices for Outbound NAT? I have one WAN and 9
>> networks on the LAN side. Within most of my LAN networks, I don't NAT,
>> but I do NAT with one of them. I also need to NAT to go out on the
>> internet, via WAN. So, basically, I need Outbound NAT for WAN and for
>> this one network that I need to NAT.
>> One of my question is: should I leave Automatic outbound NAT rule
>> generation or use Manual rules. From what I can see, the automatic rules
>> are only to access the internet, which is fine because I'll only allow
>> what I want with firewall rules. No matter if I go automatic or not,
>> I'll need a few rules that I can create for my LAN network that needs NAT.
>> Just thinking aloud, but I'd be glad to know if my thinking sounds right.
> Is there something wrong with my question? Now I've enabled automatic
> outbound NAG rule generation and the rules that were added by setting it to
> manual are still there. Should I delete them?
> List mailing list
> List at lists.pfsense.org
To answer your original question, it is unlikely that you will need
anything other than the normal outbound NAT if you only have 1 WAN and you
aren't doing anything unusual as far as outgoing IP addresses,
There are two situations where we needed to use Manual Outbound NAT:
- One location where we have multiple WANs
- One location where all traffic to a particular destination (they have
an IP whitelist for incoming traffic) has to always come from a particular
IP address, no matter which computer sent the request. Without the
Outbound NAT rules, any computer that has 1-to-1 NAT set up for it will
send traffic to this destination on its regular address and be blocked by
To answer your new question, here is a quote from the Outbound NAT page:
"With automatic outbound NAT enabled, a mapping is automatically created
for each interface's subnet (except WAN-type connections) *and the rules on
this page are ignored*" (emphasis mine).
-- moshe at ymkatz.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the List