Creating an outbound NAT entry

This recipe will describe how to create an outbound NAT entry.

Outbound NAT is responsible for taking outbound traffic from internal networks and translating internal addresses and ports into external ones. For example, assume that a node with an internal address of 172.16.1.2 requests a web page from a remote site. 172.16.1.2 is an internal address; thus, if it is left as the source IP address in our packet, the web server will not know where to send the web page. In fact, our packet won’t even reach the web server, as a properly configured router will block packets with private addresses from reaching the public internet. Outbound NAT solves this problem by performing two tasks:

  • Outbound NAT will strip the private, internal address from the packet and replace it with the WAN IP address. Since the WAN IP address is a public IP address, the remote web server will know where to send the web page.
  • Outbound NAT has an option to keep the same source port (static), or to change the port (randomize source port). By changing the source port to a random value, the chances of a port conflict on a network with multiple users is reduced.

Outbound NAT is not something you normally have to configure. By default, pfSense will automatically generate outbound NAT rules for all local interfaces and localhost (127.0.0.0/8) addresses. If you navigate to Firewall | NAT | Outbound, you can confirm that this is the case. If you have not altered any of the outbound NAT settings since installing pfSense, there should be two rules for each internal interface (and for localhost):

  • A generic [a]uto created rule to translate internal addresses to the WAN address
  • An [a]uto created rule for ISAKMP for Internet Key Exchange (IKE) during the establishment of IPsec VPN tunnels

Given the fact that pfSense can generate outbound NAT rules for us automatically, you might wonder why we would ever have to create our own outbound NAT rules. But there are some cases when we may have to add new rules—for example, a custom VPN configuration, where certain traffic has to be directed to a static port. Altering the outbound NAT rules might also be helpful in certain circumstances. In this recipe, we will consider one such case. Assume that we suspect certain LAN subnet users are using up a disproportionate amount of bandwidth. We can more easily find the total bandwidth used on LAN if we create a virtual IP address for the WAN address and direct outbound NAT traffic to it.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.129.247.196