NAT and aliases



  • Can I create a single alias in pfSense for a range of ports e.g. 25, 80, 443, 465, 993, 995, 1000 and have a single NAT rule that will redirect all the ports through to a single LAN address?

    The project here is to move a mail server that is currently bridged to the WAN via an OPT interface inside the firewall but allow access from outside the firewall.



  • Yes. You have to enter this alias at "Destination port range" as well as at "Redirect target port" in NAT rule.



  • @viragomann:

    Yes. You have to enter this alias at "Destination port range" as well as at "Redirect target port" in NAT rule.

    Thanks - that works and simplifies the configuration a lot.



  • @viragomann:

    Yes. You have to enter this alias at "Destination port range" as well as at "Redirect target port" in NAT rule.

    Does this also work for multiple hosts at once? For example I create 3 aliases:
    1. host alias HostsExternal = 4 external IPs
    2. host alias HostsInternal = 4 internal IPs (192.168.x.x)
    3. port alias Ports = 80,443 (hosting websites)

    Can I create 1 single NAT port forward rule to host 4 sites in http and https on 4 ips?

    Trick questions: what if the number of hosts does not match in the 2 aliases. What will happen then?


  • Banned

    @jurgens:

    Does this also work for multiple hosts at once?

    No.



  • @doktornotor:

    @jurgens:

    Does this also work for multiple hosts at once?

    No.

    It does allow me to create the rule, but I have no means of testing it without putting it live. So is the limit that you can have 1 'range' alias (port OR host) and not 2? So in my example I can create 2 rules one for forwarding port 80 on my IP range and one for 443, correct? This would be shorter than making the rule per host for the 2 ports.


  • Banned

    No. No range for hosts. (You can use subnets with 1:1 NAT).



  • @doktornotor:

    No. No range for hosts. (You can use subnets with 1:1 NAT).

    Just to make sure: I'm not talking about a subnet, but a host alias that has a number of hosts. So this means I have to make a NAT forward rule per IP or use 1:1 NAT with one rule per IP (the IPs do not form a complete subnet).

    That seems odd to me. My cheap Netgear router that this pfSense box will replace can do that. Simple rule like Service=https, Filter=Allow, Destination=externalIP1-externalIP2, LAN=internalIP1-internalIP2.


  • Banned

    Do as you wish.