Outbound NAT

Outbound NAT, also known as Source NAT, controls how pfSense® software will translate the source address and ports of traffic leaving an interface. To configure Outbound NAT, navigate to Firewall > NAT, on the Outbound tab.

Outbound NAT Mode

There are four possible Modes for Outbound NAT:

Automatic Outbound NAT:

The default option, which automatically performs NAT from internal interfaces, such as LAN, to external interfaces, such as WAN.

Hybrid Outbound NAT:

Utilizes manual rules while also using automatic rules for traffic not matched by manually entered rules. This mode is the most flexible and easy to use for administrators who need a little extra control but do not want to manage the entire list manually.

Manual Outbound NAT:

Only honors the manually entered rules, and nothing more. Offers the most control, but can be tough to manage and any changes made to internal interfaces or WANs must be accounted for in the rules by hand. If the list is empty when switching from automatic to manual, the list is populated with rules equivalent to the automatically generated set.

Disable Outbound NAT:

Disables all outbound NAT. Useful if the firewall contains only routable addresses (e.g. public IP addresses) on all LANs and WANs.

Note

Even if rules are present in the Outbound NAT screen, the firewall will not honor those rules unless the Mode is set to Hybrid Outbound NAT or Manual Outbound NAT.

When changing the Mode value, click the Save button to store the new value.

In networks with a single public IP address per WAN, there is usually no reason to enable manual outbound NAT. If some manual control is necessary, hybrid mode is the best choice. In environments with multiple public IP addresses and complex NAT requirements, manual outbound NAT offers more fine-grained control over all aspects of translation.

Tip

For environments using High Availability with CARP, it is important to NAT outbound traffic to a CARP VIP address, as discussed in High Availability. This can be accomplished in either hybrid or manual mode.

As with other types of rules on pfSense software, the firewall considers outbound NAT rules from the top of the list down, and it uses the first rule which matches a packet.

Note

Outbound NAT only controls what happens to traffic as it leaves an interface. It does not control the interface a packet uses to exit the firewall. That is handled by the routing table (Static Routes) or policy routing (Policy routing).

Default Outbound NAT Rules

When set to the default Automatic Outbound NAT mode, the firewall maintains a set of NAT rules which translate connections sourced from internal networks to the IP address of a WAN interface through which those connections egress. The firewall also includes static route networks and remote access VPN networks in automatic NAT rules.

When outbound NAT is configured for Automatic or Hybrid modes, the GUI displays the automatic rules in the lower section of the screen labeled Automatic Rules.

If the Outbound NAT rule list is empty, switching to Manual Outbound NAT and saving will generate a full set of rules equivalent to the automatic rules.

Outbound NAT Rule Precedence

For outbound packets, 1:1 NAT rules take precedence over outbound NAT rules. This allows 1:1 NAT rules to override default behaviors defined in outbound NAT rules, including automatic outbound NAT.

Outbound NAT Rule Options

Outbound NAT rules are very flexible and are capable of translating traffic in many ways.

Unlike Firewall rules, the GUI displays the NAT rules in a single page with a column indicating which outbound interface is associated with each rule.

Click fa-turn-up from the Outbound NAT page to add a rule to the top of the list. Click fa-turn-down to add a rule to the bottom. Place specific rules at the top, and more general rules at the bottom. The rules are processed by the firewall starting at the top of the list and working down, and the firewall uses the first rule to match. Rules may be moved to match in the desired order.

When editing Outbound NAT rules, the options are split into multiple sections.

General Options

These options control general rule behavior and matching parameters.

Disabled:

Toggles whether or not this rule is active.

Do not NAT:

Prevents the firewall from applying NAT to packets matching the rule as they leave. This is necessary if the traffic would otherwise match a NAT rule, but must not have NAT applied.

One common use for this is to add a rule exception so that the firewall does not apply NAT to its own IP addresses, especially in the case of CARP where such NAT would break Internet communication from a secondary node while it is in backup mode.

Interface:

The egress interface where this NAT rule will apply.

Typically this is WAN or a WAN-type interface, but in some special cases it could be LAN or another internal interface.

Address Family:

The address family for which this NAT rule will apply. In nearly all cases this will be IPv4 or IPv4+IPv6.

Note

While it is possible to perform traditional outbound style overload NAT for IPv6 addresses, the best practice is to not apply NAT to IPv6 traffic. See IPv6 and NAT for details.

Protocol:

The IP protocol this NAT rule will match.

In most cases, Outbound NAT will apply to any protocol, but occasionally it is necessary to restrict the protocol upon which the NAT will act. For example, to only perform static port NAT for UDP traffic from a PBX.

Source:

The source network which this rule will match and then translate as it leaves the selected Interface.

This field supports the use of aliases if the Type is set to Network or Alias.

This is typically a LAN, DMZ, or VPN subnet. The Source Port is nearly always left blank to match all ports.

Note

Avoid using a source address of any as that will also match traffic from the firewall itself. This will cause problems with gateway monitoring and other firewall-initiated traffic.

Destination:

The destination address this rule will match.

This field supports the use of aliases if the Type is set to Network or Alias.

In most cases, the Destination remains set to any so that the firewall will translate all traffic going to any destination through the selected Interface. However, the destination can be restricted when necessary. For example, to translate packets heading to a specific destination in a different way, such as only performing static port NAT to SIP trunk addresses.

Translation

These options control how NAT translates the source address for packets matching the rule.

Address:

Controls what happens to the source address of traffic matching this rule.

The Address drop-down contains all defined Virtual IP addresses and subnets, and Network or Alias to manually enter a subnet for translation.

Most commonly, this is set to the Interface Address so the firewall translates the source IP address of connections the IP address of Interface, e.g. the WAN IP address.

Note

NAT rules cannot use an alias containing subnets for translation. They can only utilize host aliases or a single manually entered subnet.

Pool Options:

Controls how outbound NAT translates source addresses when it has multiple addresses available for translation.

When an outbound NAT rule is configured to use a host alias or manually entered subnet, the rule can translate to a pool of addresses. This can help in large NAT deployments or in areas where several clients require static port to reach the same destination.

Only Round Robin types work with host aliases. Any type may be used with a subnet.

Default:

Does not define any specific algorithm for selecting a translation address from the pool.

Round Robin:

Loops through each potential translation address in the alias or subnet in turn.

Round Robin with Sticky Address:

Works the same as Round Robin but maintains the same translation address for a given source address as long as states from the source host exist.

Random:

Selects a translation address for use from the subnet at random.

Random with Sticky Address:

Selects an address at random, but maintains the same translation address for a given source address as long as states from the source host exist.

Source Hash:

Uses a hash of the source address to determine the translation address, ensuring that the translated address is always the same for a given source IP address.

Bitmask:

Applies the subnet mask and keeps the last portion identical. For example if the source address is 10.10.10.50 and the translation subnet is 192.2.0.0/24, the rule will change the address to 192.2.0.50. This works similarly to 1:1 NAT but only in the outbound direction.

Port or Range:

Specifies a specific source port for translation.

This is almost always left blank, but a client could require this behavior if the client selects a random source port when the server requires a specific source port.

Static Port:

Maintains the original source port of the client packet when translating the the source IP address. Checking this option disables the Port entry box.

Some protocols require this behavior, such as IPsec without NAT-T. Some protocols behave better with this behavior, such as SIP and RTP.

Misc

No XMLRPC Sync:

Prevents this rule from synchronizing to other High Availability cluster members via XMLRPC.

Warning

This does not prevent a rule on a secondary node from being overwritten by the primary.

Description:

Text describing the rule, such as its intended behavior or name of a service. The best practice is to clearly describe the purpose of the rule in this field.

The description is optional and does not affect functionality of the rule.

Rule Information

This section works similar to the same section in firewall rules to track NAT rule creation and updates.

When switching from Automatic Outbound NAT mode to Manual Outbound NAT mode, the firewall marks that change as the source of the rules it creates.

Configuring Outbound NAT Rules

Outbound NAT rules are located at Firewall > NAT, on the Outbound tab.

See also

The list of outbound NAT rules works the same as the list of firewall rules for management. See Introduction to the Firewall Rules screen for details.

To create a new outbound NAT rule:

  • Navigate to Firewall > NAT, Outbound tab

  • Select Hybrid Outbound NAT or Manual Outbound NAT

  • Click Save

  • Click fa-turn-up to create a new outbound NAT rule to the top of the list

  • Configure the rule as described in Configuring Outbound NAT Rules

  • Click Save

  • Click Apply Changes

Outbound NAT Configuration Examples

This section contains example scenarios and configurations for outbound NAT.

Disabling Outbound NAT

If local interfaces only utilize public IP addresses, and thus NAT is not required to pass traffic through the firewall, disable NAT for routable local subnets. This can be achieved in several ways:

  • If NAT is not required for any interface, set the outbound NAT mode to Disable.

  • Using Hybrid Outbound NAT, create a rule set with Do not NAT set to match the routable subnets.

  • Using Manual Outbound NAT, delete (or do not create) any NAT rules matching the routable subnets.

In any of the above cases, outbound NAT will no longer be active for those source IP addresses and pfSense software will then route public IP addresses without translation.

Static Port

By default, pfSense software rewrites the source port on all outgoing connections except for UDP port 500 (IKE for IPsec VPN traffic). Some operating systems do a poor job of source port randomization and some do not randomize source ports at all. This makes IP address spoofing easier and makes it possible to fingerprint hosts behind the firewall from their outbound traffic. Rewriting the source port eliminates these potential security vulnerabilities. Outbound NAT rules, including the automatic rules, will show fa-random in the Static Port column on rules set to randomize the source port.

Source port randomization breaks some rare applications. The default Automatic Outbound NAT ruleset disables source port randomization for UDP 500 because it will almost always be broken by rewriting the source port. Outbound NAT rules which preserve the original source port are called Static Port rules and have fa-check on the rule in the Static Port column. All other traffic has the source port rewritten by default.

Other protocols, such as those used by game consoles, may not work properly when NAT rewrites the source port. To disable this functionality, use the Static Port option.

To add a rule for a device which requires static source ports:

  • Navigate to Firewall > NAT, Outbound tab

  • Select Hybrid Outbound NAT

  • Click Save

  • Click fa-turn-up to add a new NAT rule to the top of the list

  • Configure the rule as described in Configuring Outbound NAT Rules

    The rule must match the traffic that requires static port, such as the source address of a PBX or a game console

  • Check Static Port in the Translation section of the page

  • Click Save

  • Click Apply Changes

After making that change, the firewall will preserve the source port on outgoing traffic matching the rule. The best practice is to use strict rules when utilizing static port to avoid any potential conflict if two local hosts use the same source port to talk to the same remote server and port using the same external IP address.