Interface groups OR multiple interface choice on NAT rules



  • Hello,

    I have a multi-wan in use: two wan ports, from different ISP's each with static ip addresses.  I really like being able to use ONE firewall rule and applying it to >1 interface.  I also like being able to use interface groups, instead of multiple port choices.  They both would serve to reduce the rule clutter on my firewall.

    However, I am not allowed to select more than one port upon creation of a NAT Port Forward entry, nor am I allowed to choose an interface group.  Thus, when creating incoming port-forwards (such as inbound smtp, or dns), I must create a separate NAT rule per port(s) per interface.  Also in order to allow the nat section to manage automatically generated firewall rules, it ends up creating additional rule clutter in the firewall rules.

    Question: is pfsense 2.0 supposed to allow multiple interface selections, or interface groups in the nat:port forward creation dialog?  If not, it really should be.

    –jason



  • I agree with you regarding the need to select interface groups for nat rules. I'm just setting up a pfsense with about 30 port forwards and 2 wan connections which means I need 60 nat entries (30 for each wan). It would be so nice if we could select an interface group!

    Regarding selecting multiple ports for a nat rule, this is actually possible. If you set up an alias you can specify it as a port alias. This can let you set up an alias for multiple mailserver ports (110, 25, 143 etc) and you can then use this alias in the nat rule. It's at least part way there. The limitation of this is that you can't mix ports for different protocols in an alias. The alias is just port numbers and then the nat rule defines if those numbers relate to udp or tcp etc.



  • Ahh, I'm glad I found your posts! Coming from a Linux background I just assumed it was natural to be able to apply a nat rule to all interfaces and so thought I was totally ignorant as I tried to figure out how to make pfSense do it!
    (I'm still using 2.0-RELEASE (i386) built on Wed Sep 14 00:39:34 EDT 2011 –- Is the feature I need already available?)

    In any case, I agree - supporting groups for NAT, or multiple interface selection for nat, or even just an ALL interface option in nat (That should be easy if pf is anything like iptables) would be really great.

    My scenario is relatively simple and normal for a small ISP:

    We have several vlans bringing in customer traffic from different geographical locations, and a vlan for our server room, for example:

    10.0.0.0/16: IPs for our server room - mail, web, etc.
    10.1.0.0/16: East side of town
    10.2.0.0/16: West side of town
    10.3.0.0/16: Center of Town (You get the idea..)

    Let's say the public IP is 4.4.4.4.

    All vlans come into the pfSense box which then nats out through a real public IP. (Actually several real public IPs.)

    So obviously some of our servers - like our main webpage and email servers - need to be reached by all users -- regardless of whether they are at home or traveling -- we configure their mail clients to connect to 4.4.4.4 (via domain name) and it should just work whether they be at home or work or anywhere in the world.

    The problem is we have to add a forward rule for pop3s (port 995)  not only on the WAN interface for the mail server, but also on each and every customer access vlan interface.

    So if we have a web, a mail, a DNS server, a backup DNS and mail server, each with several ports listening, we could end up with having to add a lot of rules.

    So yes, being able to apply a NAT rule to a group or to ALL would be a most splendid and powerful feature!

    Thanks a million for a great product and keep up the good work!

    ~Jesse


Log in to reply