Reply to NAT External IP Rotation on Thu, 15 Jun 2017 21:22:16 GMT

KenBeanNet — Thu, 15 Jun 2017 21:22:16 GMT

What about a script to change the Address Pool every X hours? Then I can have 1 Subnet active per hour and rotate them through each.

Reply to NAT External IP Rotation on Sun, 21 May 2017 13:33:48 GMT

kpa — Sun, 21 May 2017 13:33:48 GMT

It's down to what the PF implementation that comes from FreeBSD can do. Quote from the manual page:


POOL OPTIONS
     For nat and rdr rules, (as	well as	for the	route-to, reply-to and dup-to
     rule options) for which there is a	single redirection address which has a
     subnet mask smaller than 32 for IPv4 or 128 for IPv6 (more	than one IP
     address), a variety of different methods for assigning this address can
     be	used:

     bitmask
	   The bitmask option applies the network portion of the redirection
	   address to the address to be	modified (source with nat, destination
	   with	rdr).

     random
	   The random option selects an	address	at random within the defined
	   block of addresses.

     source-hash
	   The source-hash option uses a hash of the source address to deter-
	   mine	the redirection	address, ensuring that the redirection address
	   is always the same for a given source.  An optional key can be
	   specified after this	keyword	either in hex or as a string; by
	   default pfctl(8) randomly generates a key for source-hash every
	   time	the ruleset is reloaded.

     round-robin
	   The round-robin option loops	through	the redirection	address(es).

	   When	more than one redirection address is specified,	round-robin is
	   the only permitted pool type.

     static-port
	   With	nat rules, the static-port option prevents pf(4) from modify-
	   ing the source port on TCP and UDP packets.

It's likely that the pfSense devs are going to say no to feature requests involving additional address rotation schemes and just "pass the puck" to FreeBSD developers.