Netgate SG-1000 microFirewall

Author Topic: Outbound NAT Simplification  (Read 73 times)

0 Members and 1 Guest are viewing this topic.

Offline calebh

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Outbound NAT Simplification
« on: December 07, 2017, 07:50:21 pm »
Hi All,

Our environment...
Functioning HA setup in our office and datacenter.
Several OpenVPN server instances on each HA pair in both locations.
OpenVPN tunnel between the locations, Office is set as client.

Situation...
We're adding some VLANs and associated subnets to the Office firewalls, and it's really tedious to manually add the Outbound NAT rules for each subnet. To simplify the setup, I disabled all the auto-added rules and created two (one regular, one ISAKMP) that have the source address set to "Any." Unfortunately, this caused the Backup firewall to not have access to the internet to do things like check for OS updates, presumably because the outbound packets from that machine we being sent as the CARP VIP, and so the Master was the one processing the return packets.

So my next idea was to create additional rules above my enabled rules, and set their source to "This firewall (self)" and set the NAT Address to the Interface address. However, in the case of the OpenVPN client (that creates the tunnel to the datacenter), packets were then being sent as the firewall itself, and not the CARP VIP.

So now I'm wondering what rules should be in place in order to prevent the source IP from changing on things such as OpenVPN, but allow the firewalls to individually connect to the internet, too?

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9236
  • Karma: +1051/-308
    • View Profile
Re: Outbound NAT Simplification
« Reply #1 on: December 07, 2017, 08:28:39 pm »
You probably don't want to outbound NAT for this firewall because you generally do not want to outbound NAT for the WAN interface address themselves. For the same reason, setting a source address for outbound NAT of any is generally bad news.

You might be able to get away with creating outbound NAT rules with the source address set to an RFC1918 alias (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). That will catch everything on the inside with private addresses while leaving the public interface addresses alone.

Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline calebh

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: Outbound NAT Simplification
« Reply #2 on: December 08, 2017, 10:50:52 am »
The default rules include a pair with the source network being 127.0.0.0/8. Should those be enabled, ignored, etc.?

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9236
  • Karma: +1051/-308
    • View Profile
Re: Outbound NAT Simplification
« Reply #3 on: December 08, 2017, 11:31:35 am »
They need to be enabled and set to use the CARP VIP.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM