Port Forwarding (NAT/PAT) with Multi WAN = Multiple NAT rules?


  • Hello,

    I'm still in the process of installing a pfSense router for:

    • One local network (192.168.1.0/24)

    • Three different Internet connections (say: WAN_InternetA, WAN_InternetB, WAN_InternetC)

    I'm now testing NAT Port forwarding (PAT that is) and I was wondering if it was possible to create one NAT rules for multiple interfaces?
    Example:
    Say I have one web server on 192.168.1.105 that I want to be accessed from the outside (whatever WAN interface it is coming on) on port say 1086. It seems that I have to create 3 rules : one for each WAN interface (…/firewall_nat.php).

    | If | Proto | Src. addr | Src. ports | Dest. addr | Dest. ports | NAT IP | NAT Ports | Description |
    | WAN_InternetA | TCP/UDP | * | * | * | 1086 | 192.168.1.105 | 80 (HTTP) | Awesome webserver |
    | WAN_InternetB | TCP/UDP | * | * | * | 1086 | 192.168.1.105 | 80 (HTTP) | Awesome webserver |
    | WAN_InternetC | TCP/UDP | * | * | * | 1086 | 192.168.1.105 | 80 (HTTP) | Awesome webserver |

    I thought I could circumvent this by creating Interfaces Groups (…/interfaces_groups.php) but they don't populates the "Interface" drop-down field when creating a new NAT rule (…/firewall_nat_edit.php).
    Is there any solution to avoid creating multiple rules?
    Thanks


  • I think on your port forwarding setup you should change Dest. addr from * to wan_internetx.

    Today I setup nat on each interface, but pfsense core team alway have some tweaks/new features available.

    So, my answer is: Until now I only know this way  :)


  • Port forwards are specific to one particular WAN, because you need to specify the destination external IP and that's specific to each WAN. You should not have "any" there, though that's mostly functionally equivalent if you only have one IP, it has the possibility of forwarding traffic you do not want forwarded.


  • I get the idea.
    It's always a choice between fine tuning precision (providing some security) and ease of administration ;)
    I'll stick with security then.