NAT - Manual Outbound Rules

[TheOneAndOnly]

I haven't found a lot of literature of the Manual Outbound configuration on Opnsense

What I'm trying to figure out is, if I set the NAT to manual Outbound. Do I configure all the outgoing rules within the NAT/Outgoing
Or do I configure them in the WAN infterace for Outgoing?

Looking for configuration documentation on this

[Patrick M. Hausen]

Firewall > NAT > Outgoing - create rules on the WAN interface. Always chose the interface where the NAT is supposed to take place.

[TheOneAndOnly]

Is there an initial Outbound rule, example I tried this, and it lets everything out.

When I turn it off, and try allowing all out in the WAN Interface, nothing goes out. As if only the Manual Outbound Rule Section, only allows rules

Which would mean I'd have to create all my outbound rules in the NAT section, not the WAN interface

[meyergru]

Well, that is just how it is supposed to work if your LAN is on a non-routeable RFC1918 network range (like it probably is). You can do any "normal" firewall rules you like - still, your LAN IPs will not get routed by your ISP to the internet. You need NAT in order to translate your non-routeable LAN IPs to your only one, routeable WAN IP.

And such NAT rules are made exclusively in the NAT settings - they can infer coupled firewall rules which then can be manipulated in the specific interface rules, but mostly, you can just set "pass" on the NAT rules, such that an implicit, non-visible firewall pass rule will get created along with the origin NAT rule.

[EricPerl]

Someone is confused or not clear. [Clarifying that I referred to the OP here]

If you set NAT outbound mode to Automatic, the automatic rules are displayed.
They are often sufficient.
I've had to add some (via hybrid mode) when I added a 2nd router without NAT internally, because OPN only NATs explicit networks (list in automatic rules).
I've seen cases of Outbound NAT on LAN to achieve symmetric routing (also to an internal router).

But if you're going to go full manual, there's a good chance you will have to replicate some of these automatic rules, because otherwise the source network of your traffic out on WAN is going to be a LAN IP (supposedly RFC1918, non routable) and that's not going to get you anywhere. meyergru beat me to this point.
Outbound NAT does not seem to have associated rules though so I didn't understand that part of his comment.

Outbound NAT lets you specify an interface for Outbound NAT. That's what Patrick meant.
Look at the in traffic on LAN and out traffic on WAN to see the effect of Outbound NAT.
 
If your last sentence refers to out FW rules, these go in FW rules. Distinct rules. Different purpose (filtering).

[meyergru]

Sorry, @EricPerl is correct: outbound NAT does not even have an option for associated rules, which goes all the more into the separation and need to configure those rules in the NAT section, exclusivley. I deleted that in my previous post.

[Patrick M. Hausen]

Outbound NAT and allow/deny are completely separate things. Assuming you set NAT to manual and your LAN is the default 192.168.1.0/24 you need:

1. Firewall > Rules > LAN

Source: LAN net
Destination: any
Action allow

2. Firewall > NAT > Outbound

Interface: WAN
Source: LAN net
Translation: WAN address

The first permits the traffic, the second takes care the private internal addresses are in fact translated.

HTH,
Patrick

[meyergru]

Yes, of course you still need to allow the NATed traffic, at least for any (V)LAN except the default one, for which an allow any -> any rule is in place automatically.

[Patrick M. Hausen]

Yes, of course you still need to allow the NATed traffic, at least for any (V)LAN except the default one, for which an allow any -> any rule is in place automatically.

I wasn't addressing you :-)