Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Conditional NATing - PAT for Web traffic HTTP,HTTPS,FTP,DNS - NAT pool all other

    Scheduled Pinned Locked Moved NAT
    8 Posts 3 Posters 3.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sshicks99
      last edited by

      New user. ver2.1 Trying to setup NATing based on protocol.  Want to force regular web traffic HTTP,HTTPS,FTP,DNS. etc  to PAT out to a single Public IP all users, but NAT out all other traffic.  I am attmpting to conserve public IP consumption for outbound VPN users.
      Conditional NAT policy.
      I am using Manual Outbound NAT rule and VIPs.

      1 Reply Last reply Reply Quote 0
      • K
        kathampy
        last edited by

        By default in most WAN configurations pfSense will "PAT" all LAN clients to a single public IP address. You can edit this default rule and specify the desination ports for HTTP, HTTPS etc. so it only works for those connections. You can then create another NAT rule below that for your other traffic that translates using a public IP address pool.

        1 Reply Last reply Reply Quote 0
        • S
          sshicks99
          last edited by

          Understood, but can you build that PAT rule based on a list of ports  - HTTP,HTTPS,FTP,DNS, or do I have to add additional PAT rules, 1 for each port?
              PAT when destination port is HTTP,  use 63.138.232.1
              PAT when destination port is HTTPS, use 63.138.232.1
              PAT when destination port is FTP,    use 63.138.232.1
              etc ..
              NAT when destination port is anything else, use NAT Pool 63.138.232.3 - 63.138.232.62
          The Cisco implementation for this is a TCP/UDP port object group, where I can use a list of ports in a matching rule.
          Thanks for your response

          1 Reply Last reply Reply Quote 0
          • K
            kathampy
            last edited by

            Yes you can use aliases. The NAT rules only execute the first rule that matches, so you can leave the ports blank on the second rule.

            1 Reply Last reply Reply Quote 0
            • S
              sshicks99
              last edited by

              Perfect, thanks.  Built a PAT rule using my common web traffic port list using an alias "CommonWeb" - 80:8080:8088:443:53:21, etc …
              2nd rule - NAT rule with a pool of addresses to catch whatever does not match on 1st rule.

              1 Reply Last reply Reply Quote 0
              • S
                sshicks99
                last edited by

                Alias delimiter syntax?  The value field says to use a colon for ranges.  If I want ports 80 and 8080 but not everything in-between how do you enter it?
                It won't take commas, spaces, semi colons.  Does it only take : .  If so then 80:8080 would be more ports then I really wanted.

                1 Reply Last reply Reply Quote 0
                • P
                  phil.davis
                  last edited by

                  Multiple rows - like this.

                  PortAlias.png
                  PortAlias.png_thumb

                  As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                  If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                  1 Reply Last reply Reply Quote 0
                  • S
                    sshicks99
                    last edited by

                    Yes, got it working.  Very pleased with support forum assistance, big fan of PFSense.
                    thanks for the pic.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.