On Mon, May 7, 2012 at 2:15 PM, Ugo Bellavance <[email protected]> wrote:
> On 2012-05-04 13:41, Ugo Bellavance wrote: > >> Hi, >> >> I'm still planning the Checkpoint -> pfSense migration, and I'm now at >> the Outbound NAT part. In our current Checkpoint, every single NAT is >> manually defined. It is a bit cumbersome and I doubt this adds to >> security because we have a default deny rules everywhere, ingress/egress. >> >> What are the best practices for Outbound NAT? I have one WAN and 9 >> networks on the LAN side. Within most of my LAN networks, I don't NAT, >> but I do NAT with one of them. I also need to NAT to go out on the >> internet, via WAN. So, basically, I need Outbound NAT for WAN and for >> this one network that I need to NAT. >> >> One of my question is: should I leave Automatic outbound NAT rule >> generation or use Manual rules. From what I can see, the automatic rules >> are only to access the internet, which is fine because I'll only allow >> what I want with firewall rules. No matter if I go automatic or not, >> I'll need a few rules that I can create for my LAN network that needs NAT. >> >> Just thinking aloud, but I'd be glad to know if my thinking sounds right. >> >> Thanks, >> >> Ugo >> > > Is there something wrong with my question? Now I've enabled automatic > outbound NAG rule generation and the rules that were added by setting it to > manual are still there. Should I delete them? > > > Thanks, > > Ugo > > ______________________________**_________________ > List mailing list > [email protected] > http://lists.pfsense.org/**mailman/listinfo/list<http://lists.pfsense.org/mailman/listinfo/list> > Hello, To answer your original question, it is unlikely that you will need anything other than the normal outbound NAT if you only have 1 WAN and you aren't doing anything unusual as far as outgoing IP addresses, There are two situations where we needed to use Manual Outbound NAT: - One location where we have multiple WANs - One location where all traffic to a particular destination (they have an IP whitelist for incoming traffic) has to always come from a particular IP address, no matter which computer sent the request. Without the Outbound NAT rules, any computer that has 1-to-1 NAT set up for it will send traffic to this destination on its regular address and be blocked by their firewall. To answer your new question, here is a quote from the Outbound NAT page: "With automatic outbound NAT enabled, a mapping is automatically created for each interface's subnet (except WAN-type connections) *and the rules on this page are ignored*" (emphasis mine). -- Moshe Katz -- [email protected] -- +1(301)867-3732
_______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
