Nat address pool



  • how can i do the nat pool on pfsense?
    if i have [ 192.168.0.1 192.168.0.3 192.168.0.5 ]
    how can i add multi ip on wan to do load balance on nat ?



  • Search the forum, there is info on that already around.



  • @hoba:

    Search the forum, there is info on that already around.

    I have to search the same question, but much application is for 2 wan for 2 ISP.
    In my example is for 1 ISP.
    so i don't have see the same question >_<



  • I think the OP is talking about using an alias/list or a network in AON, so the external NAT would use several public IPs. This is all doable in pf, but not configurable via the GUI. I thought I saw a feature request for this, not sure.



  • I would love to use this feature to get around - or mitigate PPTP issues.
    fricken seems to have hit a wall (either that or I can't figure it out)  and I have 90 public IP's I would love to randomize to help with PPTP connections…
    You said you can set it up non-GUI?  I've been searching around, and this post (with no answer) is about as accurate as I can come by.
    Any pointers are more than welcome.



  • 'Not configurable via the GUI' is shorthand for 'totally unsupported and will break the next time the filter is reloaded'. I haven't tried this, but a fairly standard AON rule would look something like this:
    nat on vr1 inet from 192.168.1.0/24 to any -> (vr1) round-robin
    You should be able to use something like:
    nat on vr1 inet from 192.168.1.0/24 to any -> { 10.20.30.10, 10.20.30.15 }
    This http://www.openbsd.org/faq/pf/pools.html suggests round-robin might be problematic and that something like this might be better:
    nat on vr1 inet from 192.168.1.0/24 to any -> 10.20.30.12/30 source-hash
    For experimentation, one could copy out the ruleset, modify and reload.
    Again, I haven't actually tried this, so YMMV.



  • Patches accepted.  What would be really cool is one could enter an alias for the outbound pools on the AON page.  However, someone will shoot themselves in the foot if they fail to add a VIP for any IPs not defined on the respected interfaces.



  • @tdickson:

    I would love to use this feature to get around - or mitigate PPTP issues.
    fricken seems to have hit a wall (either that or I can't figure it out)  and I have 90 public IP's I would love to randomize to help with PPTP connections…
    You said you can set it up non-GUI?  I've been searching around, and this post (with no answer) is about as accurate as I can come by.
    Any pointers are more than welcome.

    have you managed to get this to work? I'm looking into doing the same thing…


Log in to reply