The pfSense Store

Author Topic: "Manual outbout NAT rule generation" rule question  (Read 909 times)

0 Members and 1 Guest are viewing this topic.

Offline ace

  • Jr. Member
  • **
  • Posts: 28
    • View Profile
"Manual outbout NAT rule generation" rule question
« on: June 25, 2012, 03:29:06 am »
We have 4 interfaces on the pfsense boxes:
1) WAN
2) LAN
3) STAGE LAN
4) XOVER (pfsync).

When we select the radio buttong for "Manual outbout NAT rule generation" it only generates a rule for the WAN with the source being the LAN network.

Interface    Source    Source Port    Destination    Destination Port    NAT Address    NAT Port    Static Port
WAN      10.9.32.0/24         *            *            *                    *                    *               NO

Sureley the source should be "*", or at least both the the LAN network and the STAGE LAN network (and all network underneath these two - in a muti tier network architecture, the top LAN tier being the DMZ, and APP/DB teirs firewalled underneath it).

Also, surely the default rule should have had the NAT address set to the WAN IP?  Obviosly, it needs to be changed to the CARPed WAN ip.

Offline SeventhSon

  • Full Member
  • ***
  • Posts: 287
    • View Profile
Re: "Manual outbout NAT rule generation" rule question
« Reply #1 on: August 17, 2012, 02:17:12 pm »
The standard wouldn't have the NAT set because of PRB/LB I would say. And you wouldn't want it to generate a NAT rule for a LAN interface, that would be weird...

I think once you start with multiple LAN/WAN you would have to go the manual way and put the subnets in yourself. Otherwise, we need an option on each interface to tell us if it's WAN or LAN.

Offline podilarius

  • Hero Member
  • *****
  • Posts: 1763
    • View Profile
Re: "Manual outbout NAT rule generation" rule question
« Reply #2 on: August 17, 2012, 04:52:21 pm »
In 2.0.1 and 2.1, if you have interfaces setup with a manual address, then pfsense will create a manual rule for them when switching from auto, the first time you do it. From then on you have to create your own rules.

If you are running clustered firewalls, then you most definitely want it using the CARP addresses. Nothing should be using the physical address except for the localhost (127.0.0.1).