#readwise # Configuring Outbound NAT on pfSense  ## Metadata - Author: [[netgate.com]] - Full Title: Outbound NAT - URL: https://docs.netgate.com/pfsense/en/latest/nat/outbound.html ## Highlights ## Static Port By default, pfSense software rewrites the source port on all outgoing connections except for UDP port `500` (IKE for IPsec VPN traffic). **Some operating systems do a poor job of source port randomization, if they do it at all. This makes IP address spoofing easier and makes it possible to fingerprint hosts behind the firewall from their outbound traffic. Rewriting the source port eliminates these potential (but unlikely) security vulnerabilities.** ^8fb5gr Outbound NAT rules, including the automatic rules, will show  in the Static Port column on rules set to randomize the source port. Source port randomization breaks some rare applications. The default Automatic Outbound NAT ruleset disables source port randomization for UDP `500` because it will almost always be broken by rewriting the source port. **Outbound NAT rules which preserve the original source port are called Static Port rules and have  on the rule in the Static Port column. All other traffic has the source port rewritten by default.** Other protocols, such as those used by game consoles, may not work properly when the source port is rewritten. To disable this functionality, use the Static Port option. ... **The best practice is to use strict rules when utilizing static port to avoid any potential conflict if two local hosts use the same source port to talk to the same remote server and port using the same external IP address.** ---