Setup for allowing multiple IP subnets on a NAT entry



  • Hi all, by way of introduction I have been using pfSense since it first came out and m0n0wall long before this time, I have a few firewalls in service for over a decade with regular updates and hardware swap as needed. I have never needed help on something, and now I find my eyes are crossing trying to wrap my meager brain around how to do this… it should be easy.

    NAT Port forward for port 80, going to 192.168.20.14

    Allow the following subnets:
    204.155.60.*
    204.155.61.*
    204.155.62.*

    Allow the following IPs:
    12.70.106.33
    12.70.106.34
    173.210.80.242

    How do I add all those ip blocks and individual IPs? Have pity on me ;-)

    JP





  • First, create an alias containing the subnets that should be allowed. And then use that alias in the source section of the NAT rule.
    This will restrict the NAT to only apply when the source is in your alias.

    The alias would then contain these networks:

    204.155.60.0/24
    204.155.61.0/24
    204.155.62.0/24
    12.70.106.33/32
    12.70.106.34/32
    173.210.80.242/32



  • Oh my goodness… it is soooo simple, ALIAS! Thanks a ton!

    One more question, which is the best way to express an entire subnet? The help text says you can either do 1.1.1.1-1.1.1.255 and /32 or 1.1.1.1 /24 to express the entire 1.1.1.* Which is the preferred method to allow access from the entire subnet? I would assume /24 would be preferable to writing it out since /24 is 255.255.255.0 which accomplishes what I want?

    Thanks a TON for your quick response!

    JP

    @vindenesen:

    First, create an alias containing the subnets that should be allowed. And then use that alias in the source section of the NAT rule.
    This will restrict the NAT to only apply when the source is in your alias.

    The alias would then contain these networks:

    204.155.60.0/24
    204.155.61.0/24
    204.155.62.0/24
    12.70.106.33/32
    12.70.106.34/32
    173.210.80.242/32



  • I personally prefer using a.b.c.d/24, but that's just me. I think it's easier to read, and to see that it actually applies to the entire subnet.