Conditional NATing - PAT for Web traffic HTTP,HTTPS,FTP,DNS - NAT pool all other
New user. ver2.1 Trying to setup NATing based on protocol. Want to force regular web traffic HTTP,HTTPS,FTP,DNS. etc to PAT out to a single Public IP all users, but NAT out all other traffic. I am attmpting to conserve public IP consumption for outbound VPN users.
Conditional NAT policy.
I am using Manual Outbound NAT rule and VIPs.
By default in most WAN configurations pfSense will "PAT" all LAN clients to a single public IP address. You can edit this default rule and specify the desination ports for HTTP, HTTPS etc. so it only works for those connections. You can then create another NAT rule below that for your other traffic that translates using a public IP address pool.
Understood, but can you build that PAT rule based on a list of ports - HTTP,HTTPS,FTP,DNS, or do I have to add additional PAT rules, 1 for each port?
PAT when destination port is HTTP, use 220.127.116.11
PAT when destination port is HTTPS, use 18.104.22.168
PAT when destination port is FTP, use 22.214.171.124
NAT when destination port is anything else, use NAT Pool 126.96.36.199 - 188.8.131.52
The Cisco implementation for this is a TCP/UDP port object group, where I can use a list of ports in a matching rule.
Thanks for your response
Yes you can use aliases. The NAT rules only execute the first rule that matches, so you can leave the ports blank on the second rule.
Perfect, thanks. Built a PAT rule using my common web traffic port list using an alias "CommonWeb" - 80:8080:8088:443:53:21, etc …
2nd rule - NAT rule with a pool of addresses to catch whatever does not match on 1st rule.
Alias delimiter syntax? The value field says to use a colon for ranges. If I want ports 80 and 8080 but not everything in-between how do you enter it?
It won't take commas, spaces, semi colons. Does it only take : . If so then 80:8080 would be more ports then I really wanted.
Multiple rows - like this.
Yes, got it working. Very pleased with support forum assistance, big fan of PFSense.
thanks for the pic.