Outbound NAT deals with traffic from private, internal networks to external networks. Even if you have never configured outbound NAT on your pfSense system, chances are you are already using it. This is because the initial pfSense installation already automatically translates outbound traffic to the WAN IP address. If there are multiple WAN interfaces, traffic leaving any of these WAN interfaces is translated into the WAN IP address of the WAN interface being used:

If you navigate to Firewall | NAT and click on the Outbound NAT tab, and you haven't done any configuration to outbound NAT, you should find that the Outbound NAT Mode is set to Automatic outbound rule generation. This means that as new subnets/interfaces are added to the system, pfSense automatically generates outbound NAT rules to let traffic pass through to the WAN interface. An easy way to confirm that these rules are necessary is to change this setting to Disable Outbound NAT and then click on the Save button. Unless you have reconfigured your network so it is no longer dependent on NAT, the internet should be inaccessible from the LAN side of your network. To resolve this, switch back to Automatic outbound rule generation.

Note that the outbound NAT rules that handle most of the outbound NAT traffic involve non-static port mappings. This is tremendously helpful. For example, if I request a standard web page, it uses the HTTP protocol, which uses port 80. If outbound NAT used a static mapping for this port, the WAN interface would also use port 80, and anyone else on the network requesting a standard web page would be blocked from receiving one until my request had been fulfilled and the state expired. But by using a non-static mapping, Outbound NAT can re-map this to an arbitrary port–a non-standard port above 49152–so that other users will not be blocked from requesting web pages.

The two other settings for outbound NAT mode are as follows:

• Hybrid outbound NAT rule-generation: This will still automatically generate outbound NAT rules for internal subnets/interfaces, but you will also be able to add outbound NAT rules of your own.
• Manual outbound NAT rule-generation: This will not automatically create any new rules, but previously created automatic rules will remain. Using this setting might cause some confusion if you add interfaces later on without remembering that you must add outbound NAT rules. The new interfaces will not have internet access until you do.

It is outside the scope of this chapter to provide a detailed discussion of outbound NAT. If you set up a VPN, however, you will likely be utilizing outbound NAT in order to direct traffic to the VPN tunnel. It can also be useful in certain scenarios, such as monitoring network traffic.

For example, if we suspect that users on one particular interface are using too much bandwidth, we could create a virtual IP address for the WAN interface, and then redirect outbound traffic on that interface to the virtual IP by changing the outbound NAT rule for that interface. To the end user, there will be no difference, but it will make it easier to search the logs for outbound traffic from that interface, since we need only search for the newly created virtual IP.