Documentation
pfSense Documentation - Configuration and Administration Guides
pfSense NAT - Network Address Translation and Forwarding
Outbound NAT in pfSense - source NAT configuration

Outbound NAT in pfSense - source NAT configuration

Outbound NAT (source NAT) in pfSense controls source address translation for traffic leaving the network through an external interface. When a packet from an internal host is directed to the internet, the firewall replaces the private source address with the public address of the WAN interface (or another specified address). This is the fundamental mechanism that enables internal hosts with RFC 1918 private addresses to access internet resources.

pfSense provides four outbound NAT modes that differ in the degree of automation and control. The choice of mode is determined by the complexity of the network infrastructure and translation requirements.

Operating modes

pfSense supports four outbound NAT modes. Switching between modes is performed under Firewall > NAT, on the Outbound tab.

ModeDescriptionWhen to use
AutomaticAutomatic rule generation for all internal interfacesStandard configurations with a single WAN
HybridAutomatic rules + ability to add manual rulesSpecific exceptions needed (static port, multi-WAN)
ManualOnly manually created rulesFull control over translation
DisableOutbound NAT completely disabledNetworks with routable addresses

Outbound NAT mode selection

Fig. 1. Outbound NAT mode selection

Mode comparison

CharacteristicAutomaticHybridManual
Automatic rulesYesYes (as fallback)No
Manual rulesIgnoredProcessed firstOnly source of rules
Response to new interfaceAutomaticAutomatic (for fallback)Manual rule addition required
Configuration complexityMinimalModerateHigh
Risk of connectivity lossMinimalLowHigh (on error)
Recommended forBasic configurationsMost production systemsComplex multi-interface configurations

Automatic mode

Automatic mode (Automatic Outbound NAT) is the default setting after pfSense installation. In this mode, the firewall independently creates outbound NAT rules for each combination of internal interface and subnet.

Automatically generated rules perform the following translations:

  • Traffic from LAN, OPT1, OPT2, and other internal interface subnets is translated to the WAN interface address.
  • VPN client traffic (OpenVPN, IPsec) is translated to the WAN address.
  • A rule for localhost (127.0.0.0/8) is generated with the ISAKMP port (500) and the static port flag for correct IPsec operation.

Automatic rules are displayed in the interface as read-only entries. They cannot be modified or deleted - only viewed.

Automatic mode is suitable for most simple configurations. Switching to a different mode is necessary when at least one of the following conditions exists:

  • Static port is required for specific hosts or protocols.
  • Multiple WAN interfaces are used with different translation rules.
  • Specific subnets must be bound to particular external addresses.

Hybrid mode

Hybrid mode (Hybrid Outbound NAT) combines the advantages of automatic and manual modes. Automatic rules continue to be generated and serve as a base (fallback), while manual rules are added on top and processed with higher priority.

Processing order in hybrid mode:

  1. Manual rules are checked first (top to bottom).
  2. If no manual rule matches, automatic rules are checked.

Hybrid mode is recommended for most production configurations. It allows adding specific rules (static port for SIP, subnet binding to a particular WAN) without the need to manually maintain the complete rule set.

Typical hybrid mode workflow:

  1. Switch the mode to Hybrid Outbound NAT.
  2. Click Save, then Apply Changes.
  3. Create a manual rule for the specific exception (for example, static port for a SIP server).
  4. All remaining traffic continues to be processed by automatic rules.

Manual mode

Manual mode (Manual Outbound NAT) gives the administrator complete control over outbound NAT rules. All automatic rules are removed, and only manually created rules are used.

Warning:

When switching to manual mode, pfSense will offer to copy the current automatic rules as a starting point. It is strongly recommended to accept this offer. If the copy is declined and no rules are created manually, all outbound traffic will cease to be translated, and internal hosts will lose internet access.

Manual mode is necessary in the following cases:

  • A completely non-standard translation configuration is required.
  • Precise control over rule processing order is needed.
  • Complex setups with multiple WAN interfaces, VPNs, and specific translations are in use.
  • A “Do not NAT” rule is needed for certain traffic (for example, traffic between VPN segments).

When a new interface or subnet is added in manual mode, NAT rules are not created automatically. The administrator must add the corresponding rules manually; otherwise, traffic from the new interface will not be translated.

Creating a rule

Step-by-step configuration

  1. Navigate to Firewall > NAT, select the Outbound tab.
  2. Verify that Hybrid or Manual mode is selected.
  3. Click Add to create a new rule.

Outbound NAT rule list

Fig. 2. Outbound NAT rule list

  1. Configure the rule parameters:

General parameters

FieldDescriptionExample
InterfaceOutbound interface (where traffic is directed)WAN
Address FamilyAddress familyIPv4
ProtocolProtocol (any for all)Any
SourceSource address or subnet192.168.1.0/24
Source portSource port (usually Any)Any
DestinationDestination addressAny
Destination portDestination portAny

Translation parameters

FieldDescriptionExample
Translation AddressAddress to which the source is translatedInterface Address
Translation PortTranslation port or port range(empty for automatic)
Static PortPreserve the original client source portUnchecked
Pool OptionsAddress selection method from pool (when using an alias)Default

Additional parameters

FieldDescription
DisabledDisable the rule without deleting it
Do not NATMark traffic for exclusion from translation
No XMLRPC SyncDo not synchronize the rule in HA configurations
DescriptionDescription of the rule’s purpose
  1. Click Save, then Apply Changes.

Translation Address options

  • Interface Address - address of the outbound interface (WAN IP). The most common option.
  • Virtual IP - a specific VIP address created on the outbound interface. Used for binding a subnet to a particular public address.
  • Alias - a group of addresses for load distribution. Combined with Pool Options, it provides balancing across multiple external addresses.
  • Other Subnet - an arbitrary subnet for translation.

Pool Options

When using an alias or subnet in Translation Address, the following distribution methods are available:

MethodDescription
DefaultRound Robin without address persistence
Round RobinSequential cycling through addresses
Round Robin with Sticky AddressRound Robin with client-to-address persistence
RandomRandom address selection from the pool
Random with Sticky AddressRandom selection with address persistence
Source HashDeterministic selection based on source address hash
BitmaskAddress masking (used for /24-to-/24 translations)

Common scenarios

Static port for SIP and VoIP

SIP, IKE (IPsec), and some gaming protocols require the original source port to be preserved during translation. By default, pfSense randomizes ports to enhance security, which breaks these protocols.

Configuring static port in hybrid mode:

  1. Switch Outbound NAT to Hybrid mode.
  2. Create a rule:
    • Interface - WAN
    • Source - SIP server or phone address (for example, 192.168.1.200/32)
    • Destination - Any
    • Translation Address - Interface Address
    • Static Port - checked
    • Description - “Static port for SIP PBX”
  3. Save and apply changes.

For IPsec VPN initiated by the firewall itself, pfSense automatically creates a rule with static port for UDP 500 (ISAKMP) and UDP 4500 (NAT-T) in automatic and hybrid modes.

Warning:

The Static Port flag is incompatible with using a single external address for multiple internal hosts sharing the same source port. If two SIP phones simultaneously initiate connections from port 5060, a conflict will occur. In such cases, each device should be assigned a separate VIP through individual rules.

Binding a subnet to a specific WAN address

In configurations with multiple WAN interfaces or additional public addresses, it may be necessary for a specific internal subnet to access the internet through a particular external address.

Example: the server subnet 10.0.2.0/24 should use VIP 203.0.113.20 instead of the primary WAN IP.

  1. Create VIP 203.0.113.20 on the WAN interface (Firewall > Virtual IPs).
  2. Switch Outbound NAT to Hybrid mode.
  3. Create a rule:
    • Interface - WAN
    • Source - 10.0.2.0/24
    • Destination - Any
    • Translation Address - 203.0.113.20 (select the VIP from the list)
    • Description - “Server subnet outbound via VIP”
  4. Save and apply.

All other traffic will continue to be translated to the WAN IP through automatic rules.

Multi-WAN and policy-based NAT

When using multiple WAN interfaces (multi-WAN), each WAN requires its own outbound NAT rules. In automatic and hybrid modes, pfSense creates rules for each WAN interface automatically.

When traffic from a specific subnet needs to be directed through a particular WAN (policy routing):

  1. Create a gateway or gateway group under System > Routing.
  2. Create a firewall rule on the internal interface specifying the gateway (Gateway field).
  3. In hybrid or manual outbound NAT mode, verify that a rule exists for the corresponding WAN interface and source subnet.

Do not NAT rule

In some scenarios, specific traffic must be excluded from translation:

  • Traffic between VPN segments using private addresses.
  • Traffic to peer networks through a GRE tunnel.
  • Traffic to networks routed without NAT.

To create an exclusion:

  1. Create an outbound NAT rule with the Do not NAT flag checked.
  2. Specify the source subnet in the Source field.
  3. Specify the target subnet for which translation is not required in the Destination field.
  4. Place the rule above the rule that performs translation for this traffic.

Troubleshooting

Internet lost after switching to manual mode

The most common issue is switching to manual mode without creating the necessary rules or declining the offer to copy automatic rules.

Resolution:

  1. Navigate to Firewall > NAT > Outbound.
  2. Switch the mode back to Automatic or Hybrid.
  3. Click Save, then Apply Changes.
  4. Verify that internet access is restored from internal hosts.

If access to the web interface is lost, connect to the firewall console (serial port or physical console) and execute:

# Reset outbound NAT to automatic mode
pfctl -d && pfctl -e -f /tmp/rules.debug

Alternatively, use the console menu: the Reset to factory defaults option as a last resort.

Static port not working

Symptoms: SIP phone registers but calls do not connect; IPsec Phase 1 does not establish.

Verification:

  1. Ensure the rule with Static Port is positioned above the general NAT rule for the given subnet.
  2. Verify that the rule specifies the correct source address (a specific host rather than the entire subnet if the issue concerns a single device).
  3. Check the state table (Diagnostics > States) - the source port should match the port in the translation.
  4. Confirm that the Static Port flag is checked in the outbound NAT rule, not in the firewall rule.
# Verify NAT rules in pf
pfctl -s nat

# Check state table for SIP traffic
pfctl -ss | grep 5060

Multi-WAN: traffic exits through the wrong WAN

When using multiple WAN interfaces, traffic may be translated through the wrong address.

Verification:

  1. Ensure the firewall rule on the internal interface has the correct Gateway (the specific WAN gateway).
  2. Verify that an outbound NAT rule exists for the target WAN interface and source subnet.
  3. In manual mode, verify that rules exist for each WAN interface.
  4. Check gateway status under Status > Gateways - a failed gateway will cause failover to the backup WAN.

Diagnostic commands 

# View all outbound NAT rules loaded in pf
pfctl -s nat

# Check which external address is used for a specific internal host
pfctl -ss | grep 192.168.1.100

# Verify NAT translation in real-time
tcpdump -i em0 src host 192.168.1.100 -n

# Test outbound address from the server
curl -4 ifconfig.me

Migration from other platforms

Cisco ASA

In Cisco ASA, dynamic NAT (PAT) is configured through NAT objects (versions 8.3+) or global NAT (before 8.3).

ASA 8.3+ (Object NAT, PAT):

object network INSIDE-SUBNET
 subnet 192.168.1.0 255.255.255.0
 nat (INSIDE,OUTSIDE) dynamic interface

ASA 8.3+ (Twice NAT with address pool):

nat (INSIDE,OUTSIDE) source dynamic INSIDE-SUBNET PAT-POOL
object network PAT-POOL
 range 203.0.113.10 203.0.113.15

pfSense equivalent:

  1. For standard PAT through the WAN IP - automatic outbound NAT mode (default configuration).
  2. For PAT through an address pool - hybrid or manual mode with VIP addresses and a rule using an alias in Translation Address with Pool Options set to Round Robin.

Key difference: in ASA, dynamic NAT configuration combines translation and control through ACLs. In pfSense, outbound NAT and firewall rules are independent entities.

FortiGate

In FortiGate, outbound NAT is implemented through an IP Pool in the firewall policy.

Standard PAT (overload):

config firewall policy
    edit 1
        set srcintf "lan"
        set dstintf "wan1"
        set srcaddr "LAN-SUBNET"
        set dstaddr "all"
        set action accept
        set nat enable
    next
end

PAT through IP Pool:

config firewall ippool
    edit "OUTBOUND-POOL"
        set startip 203.0.113.10
        set endip 203.0.113.15
        set type overload
    next
end

config firewall policy
    edit 1
        set srcintf "lan"
        set dstintf "wan1"
        set srcaddr "LAN-SUBNET"
        set dstaddr "all"
        set action accept
        set nat enable
        set ippool enable
        set poolname "OUTBOUND-POOL"
    next
end

In FortiGate, NAT is an attribute of the firewall policy. In pfSense, outbound NAT is configured separately from firewall rules, providing a clearer separation of translation and filtering functions.

MikroTik RouterOS

In MikroTik RouterOS, outbound NAT is implemented through a masquerade or src-nat rule in the srcnat chain.

Masquerade (analogous to automatic mode):

/ip firewall nat
add chain=srcnat out-interface=ether1 action=masquerade

Source NAT with a fixed address:

/ip firewall nat
add chain=srcnat src-address=192.168.1.0/24 out-interface=ether1 \
    action=src-nat to-addresses=203.0.113.10

Differences during migration:

  • masquerade in MikroTik automatically uses the outgoing interface address (analogous to Interface Address in pfSense).
  • src-nat with a specified to-addresses is equivalent to an outbound NAT rule with a specific Translation Address.
  • In MikroTik RouterOS, NAT and firewall rules are in different chains of the same /ip firewall table. In pfSense, NAT and firewall are completely separate pf subsystems.

Related sections

  • Port forwarding - redirecting inbound traffic to internal servers
  • 1:1 NAT - bidirectional address translation and its interaction with outbound NAT
  • NAT overview in pfSense - NAT processing order and interaction between translation mechanisms
  • Firewall rules - creating filtering rules and policy routing
Last updated on
1:1 NAT in pfSense - Static Address Translation GuidepfSense Port Forwarding - Inbound NAT Configuration