[Solved] Using IP Aliases as NAT destination rule?



  • In a multi-WAN context I have to make sure some destinations are only accessed via certain WAN interfaces because the destination is some pre-production webserver, special backoffice website or internal-use-only FTP operated by third parties that use a whitelist-system to allow access.

    Until now I used firewall rules (from:LAN to:the_destination_ip proto:HTTP/FTP/…) with Gateway Advanced Option set to route that traffic through a given WAN.

    I than have destination:WAN 1:1 mapping (to be honest it's a destination_address:destination_port:WAN mapping).

    Recently I obtained more IP addresses (a /29 block) for my WAN_C interface and configured pfSense's NAT outgoing to use them (via round robin).

    Because theses third parties only know my original WAN_C IP address and it will takes time for them to allow my new /29 block (if they can: many only accept one IP address) I have to make sure outgoing traffic to theses destinations are not round robined.
    My first approch was to create/clone the firewall rules as NAT outgoing rules, but considering there is about 90 firewall rules, I wanted to factorize everything and thought about the IP aliases.

    If I create an IP alias with each destinations inside, I could then create a single NAT outgoing rule that translate traffic from "LAN" to destination "this_alias" using WAN_C IP address as translator. Placing that rule before my round robin one.

    Problem: NAT outgoing rule does not accept aliases as destination (nor source btw).
    Is there a workaround?

    Thanks



  • @CDuv:

    Problem: NAT outgoing rule does not accept aliases as destination (nor source btw).
    Is there a workaround?

    ??
    Select Network as type and enter your alias in the source or destination box. However, 2.3.1 seems to have a little bug here, so if I type the first letter in the box, it lists only port aliases in the dropdown instead of IPs.


  • LAYER 8 Netgate

    @viragomann:

    @CDuv:

    Problem: NAT outgoing rule does not accept aliases as destination (nor source btw).
    Is there a workaround?

    ??
    Select Network as type and enter your alias in the source or destination box. However, 2.3.1 seems to have a little bug here, so if I type the first letter in the box, it lists only port aliases in the dropdown instead of IPs.

    Seems to work OK here. IP aliases listed in networks, port aliases listed in ports.



  • Yes, it works now here. Maybe it was a browser fault on my other system?



  • The problem I mentioned above still persists, but only when editing an outbound NAT rule in the destination network field. Here I get only port aliases shown in the dropdown, independently from the web browser.


  • LAYER 8 Netgate

    I thought I saw what you are describing earlier but I just went to open a bug report and I can't duplicate it. Is there anything peculiar about the rule you see it on? Did you shift-reload and does it persist? What OS/Browser?

    I change any to network and type in the network field all I get are network aliases, not port aliases.



  • I've done further test now. The problem only occurs in the destination network field, when editing a rule which destination was already a network before.
    It seems to be independent from the interface, the source and the translation address.

    I've attached a sreenshot of a rule where I could reproduce this behaviour. Editing the destination network in this rule only brings up port aliases instead of IP aliases.

    I tested it with Firefox 42 on OpenSUSE 42.1 and on Windows 7 and also with Chrome 50 on Win7.




  • @viragomann:

    @CDuv:

    Problem: NAT outgoing rule does not accept aliases as destination (nor source btw).
    Is there a workaround?

    ??
    Select Network as type and enter your alias in the source or destination box. However, 2.3.1 seems to have a little bug here, so if I type the first letter in the box, it lists only port aliases in the dropdown instead of IPs.

    Thanks, I had never noticed that feature: The dropdown only appears as an autocomplete menu (suggesting aliases according to what I type) thus I didn't know there was a menu there.

    It seems to works fine: thanks
    That will simplify my firewall rules


  • LAYER 8 Netgate

    That port alias bug will be fixed in 2.3.1_2.


Log in to reply