[pfSense] Outbound NAT

Moshe Katz moshe at ymkatz.net
Mon May 7 14:54:06 EDT 2012


On Mon, May 7, 2012 at 2:15 PM, Ugo Bellavance <ugob at lubik.ca> wrote:

> On 2012-05-04 13:41, Ugo Bellavance wrote:
>
>> Hi,
>>
>> I'm still planning the Checkpoint -> pfSense migration, and I'm now at
>> the Outbound NAT part. In our current Checkpoint, every single NAT is
>> manually defined. It is a bit cumbersome and I doubt this adds to
>> security because we have a default deny rules everywhere, ingress/egress.
>>
>> What are the best practices for Outbound NAT? I have one WAN and 9
>> networks on the LAN side. Within most of my LAN networks, I don't NAT,
>> but I do NAT with one of them. I also need to NAT to go out on the
>> internet, via WAN. So, basically, I need Outbound NAT for WAN and for
>> this one network that I need to NAT.
>>
>> One of my question is: should I leave Automatic outbound NAT rule
>> generation or use Manual rules. From what I can see, the automatic rules
>> are only to access the internet, which is fine because I'll only allow
>> what I want with firewall rules. No matter if I go automatic or not,
>> I'll need a few rules that I can create for my LAN network that needs NAT.
>>
>> Just thinking aloud, but I'd be glad to know if my thinking sounds right.
>>
>> Thanks,
>>
>> Ugo
>>
>
> Is there something wrong with my question?  Now I've enabled automatic
> outbound NAG rule generation and the rules that were added by setting it to
> manual are still there.  Should I delete them?
>
>
> Thanks,
>
> Ugo
>
> ______________________________**_________________
> List mailing list
> List at lists.pfsense.org
> http://lists.pfsense.org/**mailman/listinfo/list<http://lists.pfsense.org/mailman/listinfo/list>
>

Hello,

To answer your original question, it is unlikely that you will need
anything other than the normal outbound NAT if you only have 1 WAN and you
aren't doing anything unusual as far as outgoing IP addresses,

There are two situations where we needed to use Manual Outbound NAT:

   - One location where we have multiple WANs
   - One location where all traffic to a particular destination (they have
   an IP whitelist for incoming traffic) has to always come from a particular
   IP address, no matter which computer sent the request.  Without the
   Outbound NAT rules, any computer that has 1-to-1 NAT set up for it will
   send traffic to this destination on its regular address and be blocked by
   their firewall.

To answer your new question, here is a quote from the Outbound NAT page:
"With automatic outbound NAT enabled, a mapping is automatically created
for each interface's subnet (except WAN-type connections) *and the rules on
this page are ignored*" (emphasis mine).

--
Moshe Katz
-- moshe at ymkatz.net
-- +1(301)867-3732
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.pfsense.org/pipermail/list/attachments/20120507/a351bd41/attachment.html>


More information about the List mailing list