VIP other and a few questions.
-
pfSense version 2.4.r Release-p3 - HA pair
We have a public subnet on the WAN side of the firewalls which we use for 1 to 1 NAT with CARP VIPs and that works fine. I now need to add another subnet for NAT as we have run out of IPs so I am going to just route a new subnet to the WAN VIP and then use other VIPs in the configuration.
First time I have setup other VIPs so just a few queries -
- you can choose either "Network" or "Single Address" within the configuration. I understand if I choose single address for each new 1 to 1 NAT I would need to add a new VIP and then do the NAT as I do with the CARP configuration.
If I choose network and enter x.x.x.x/26 does that mean I don't have to do any more VIP config for that subnet, I can just add new 1 to 1 NATs as and when I need them ?
- Again with the "Network" choice there is a tick box - "Disable Expansion of this entry...."
I'm not sure I follow what this does exactly. I played around with it a bit but could see no differences under the 1 to 1 NAT entries whether it was checked or not.
- Finally is there any recommendation in terms of the above ie. does it make more sense to do individual VIP entries as and when I need them or just enter the subnet (assuming I understood it right as above).
If it just comes down to choice I may well do individual entries as I think it is more intuitive for others to see what is going on but there may be good reasons not to do that.
Many thanks for any and all help.
-
So I have done a bit more experimenting and it seems if I add a Network of other VIPs then in the 1 to 1 section it does nothing but in the outbound NAT section it expands the network entry out to all the individual entries.
If I then check the "Disable expansion ....." checkbox it does not do that.
However I do not care about outbound NAT as such, this subnet is only ever going to be used for 1 to 1 NAT entries so do I gain anything by using a Network entry rather than individual entries in the VIP section ?