From NAT+proxy to PureNAT and interface rules



  • Hi,

    For many years we are using PFSense and always used NAT+proxy. When the new GUI was released in PFSense the NAT+proxy mode worked different and was not reliable anymore. A few weeks ago we updated our PFSense again since a long while and finded out that some functions still works but some functions didn't. After browsing the forum and reading a lot of topics we discoverd that the proxy helper is a bad solution and the advice is to use split DNS or PureNAT. Split DNS is not a good solution because we have 100's of domainnames en DNS records. So we changed the NAT+proxy to PureNAT. Everything seems to work fine, except the following.

    For example. our WAN has IP address 8.8.8.8/29 Our LAN 192.168.1.x. OPT1 10.100.10.x
    We have a NAT rule for dnsname.com with IP address 8.8.8.8.10 which forwards to 192.168.1.20.
    Because we don't want to have access from OPT1 to the internal LAN, we block everything from OPT1 to LAN.
    When we try to connect from OPT1 to dnsname.com we need to create a firewall rule to allow traffic from OPT1 to 192.168.1.20 (or the whole network).
    But that means that for every domain name/public IP address we have to create a rule with the internal IP address of the webserver in the OPT1 network?!

    Is there a way that the rules on the WAN are also automatic applied to OPT1 <-> LAN?

    Thanks in advance for any reply!

    Regards!