NAT External IP Rotation
-
Would it be possible to implement instead of random external IP, a circular IP rotation based on time? For example every minute go to next IP address but keep the entire network on one IP for that time? (External)
I'd also have no problem paying for this feature.
-
It's down to what the PF implementation that comes from FreeBSD can do. Quote from the manual page:
POOL OPTIONS For nat and rdr rules, (as well as for the route-to, reply-to and dup-to rule options) for which there is a single redirection address which has a subnet mask smaller than 32 for IPv4 or 128 for IPv6 (more than one IP address), a variety of different methods for assigning this address can be used: bitmask The bitmask option applies the network portion of the redirection address to the address to be modified (source with nat, destination with rdr). random The random option selects an address at random within the defined block of addresses. source-hash The source-hash option uses a hash of the source address to deter- mine the redirection address, ensuring that the redirection address is always the same for a given source. An optional key can be specified after this keyword either in hex or as a string; by default pfctl(8) randomly generates a key for source-hash every time the ruleset is reloaded. round-robin The round-robin option loops through the redirection address(es). When more than one redirection address is specified, round-robin is the only permitted pool type. static-port With nat rules, the static-port option prevents pf(4) from modify- ing the source port on TCP and UDP packets.
It's likely that the pfSense devs are going to say no to feature requests involving additional address rotation schemes and just "pass the puck" to FreeBSD developers.
-
What about a script to change the Address Pool every X hours? Then I can have 1 Subnet active per hour and rotate them through each.