NAT based on soruce IP



  • Hi Guys,

    This is the first time I'm writing on this forum.

    I'm a big fan of pfsense and we have very complex pfsense set-up working very well, as a new requirement we need to re-direct traffic (NAT) based on the Source IP address.

    Ex :-

    RULE 01 - Users coming from USA -> (IP-A) -> NAT -> WEB_SRV_01 (same public IP/URL/Same port)
    RULE 02 - Users coming from AU  -> (IP-A) -> NAT -> WEB_SRV_02 (same public IP/URL/Same port)
    RULE 03 - Users coming from ANY_OTHER -> (IP-A) -> NAT -> WEB_SRV_03 (same public IP/URL/Same port)

    What we relay need is when people accessing our website from different countries, direct them to different web sites.

    I have used pfblocker to sort out the country IP's using Aliases, but NAT it's not working properly.

    EX failure :-

    if traffic is coming from USA

    It's redirecting traffic USA to WEB_SRV_01 one as well as WEB_SRV_03. (hitting both RULE 01 and RULE 03 round-robin)

    I thought NAT are working same as firewall rules from top -> bottom (but looks like no)

    if I use negative source (!USA) on RULE_03, traffic coming from USA re-direct to WEB_SRV_01 once and getting failed on the other time, coz it's trying to use the RULE 03

    Hope you guys can share some light on this and get me in to the correct path. I'm not sure what i have to do get this working.

    Thanks in advance.

    Regards,
    Malaka



  • Sounds like you're doing things right. The scenario you described will work fine. I think the most likely issue is pfblocker's data is something like 2 years old at this point, the package maintainers stopped updating the list a couple years ago when countryipblocks.net discontinued their free lists. Use a better data source (like a paid subscription to countryipblocks.net) and I suspect it'll probably work.

    We'll be putting out a better alternative in the not too distant future for country IP lists, that's something you'll want to keep an eye out for. (subscribe to announcements list @ lists.pfsense.org if you haven't already)


Log in to reply