NAT RULE 0

Can we choose a different color for traffic processed by NAT RULE 0. I have a firewall rule ALLOW ANY ANY and a nat rule NAT LAN to WAN. If i disable the nat rule, the traffic stops flowing as expected, but my firewall logs are still green and show traffic as allowed. It is technically correct that my traffic is allowed due to the firewall rule but I am not getting anywhere due to NAT rule zero so a little hint in the logs would be nice.

Also, the NAT rules don't stop passing traffic immediately if disabled unlike firewall rules probably due to conntrack entries so some clarity in the logs would be appreciated. (Try ping 8.8.8.8 and disable NAT rule, your ping will continue)

Regards

Parents
  • I realize this is probably a stupid question but for my own edification, what is NAT Rule 0? I understand there is the Firewall "Rule 0", which essentially drops any traffic that doesn't match the other firewall rules before it. Without it, all traffic would be allowed to pass. However, I didn't think that was really the case with NAT since, by default, if nothing is defined, well... nothing will be be NATed (think I just made up a word).

    ---

    Sophos XG guides for home users: https://shred086.wordpress.com/

  • Hi Shred,

    NAT Rule 0 is effectively "NoNAT" meaning no modification is applied :)

    Emile

  • Got it. So there isn't technically a "NAT Rule 0", it's the nature of how it works. Simply, if there are no NAT rules, then there is no NAT. Appreciate the reply!

    ---

    Sophos XG guides for home users: https://shred086.wordpress.com/

  • Hi Shred,

    Yeah, that's pretty much it, the NAT column has to be filled so if no other NATs are applied, NoNAT takes effect.

    Emile

  • I did have a few problems when messing with NAT too much due to conntrack trying to do its job.

    I added a bunch of firewall rules with coupled NAT in the firewall rule and made sure everything was working as expected. I then deleted just the NAT rule making orphaned firewall rules (no NAT orphan ;). The traffic keeps flowing if the connection is established and NAT 0 shows up in logs. However if you recreate another NAT rule the traffic doesn't go back to the new NAT rule immediately because the conntrack time hasn't expired. The firewall keeps using NAT rule 0 although a regular NAT rule does exist. This problem is really bad when streaming from netflix or similar since the traffic keeps flowing for a long time although the NAT rule is not there.

    You can probably flush the conntrack table from command line or create a new firewall rule for everything to work again if you don't want to wait. 

    After messing around with NAT for a while and getting more headache than I needed, I went back to creating a single NAT LAN to WAN rule for all my traffic. Lesson from this exercise, don't do something because it can be done and keep it simple by using one NAT rule unless there is a specific need for additional NAT. 

    Regards

  • Its hard to fix this actually.

    One solution would be, flush all matching firewall rules if you create a firewall / nat rule, but nobody will accept this. 

    So basically most products will work this way, if you have a "living" connection, that those connections will be alive afterwards. 

     

    Like mentioned before in some threads, i would assume, Linked NAT Rules are more likely "migration helper" to not break upgrades from V17.5 to V18. 

    I would always recommend to use self created NATs to keep it simple. 

    __________________________________________________________________________________________________________________

  • Another workaround that is probably far easier to implement is that if you create a linked FIREWALL rule and then try to delete the linked NAT rule, you get a warning that the linked firewall rule will be disabled if you delete the NAT rule. That way the traffic will stop flowing almost immediately since the firewall rule will be disabled and that essentially stops all traffic using that firewall rule immediately.

    This will remove any impact on other firewall traffic and stop the orphaned firewall rules that are looking for suitable NAT rules that may or may not exist.

    Regards

Reply
  • Another workaround that is probably far easier to implement is that if you create a linked FIREWALL rule and then try to delete the linked NAT rule, you get a warning that the linked firewall rule will be disabled if you delete the NAT rule. That way the traffic will stop flowing almost immediately since the firewall rule will be disabled and that essentially stops all traffic using that firewall rule immediately.

    This will remove any impact on other firewall traffic and stop the orphaned firewall rules that are looking for suitable NAT rules that may or may not exist.

    Regards

Children
No Data