How to create a Virtual IP address pool for use with outbound NAT?
-
For my network of 100 homes, i want to have the outbound traffic on the WAN distributed among a small set of IP addresses, rather than all of them using the default address of the WAN interface.
This is described in the docs at https://doc.pfsense.org/index.php/Outbound_NAT, and I'm told that IP Alias type virtual IPs (VIPs) are the way to do this, but the docs don't say how a pool of them are actually created/configured.
I can see how to create the individual VIPs (one IP address at a time), but I don't see how to one VIP that includes a group of addresses nor how to group individual VIPs into a pool so they can be referenced when creating outbound NAT rules.
Can anyone point me in the right direction? I'm running V2.2.3 NanoBSD.
Thanks,
Jeff
-
I've never done what you're attempting but I would think you have to create the virtual IPs manually, then either create the outbound NAT mappings one-by-one where you associate the specific LAN IP with one of your virtual IPs (so you would have an outbound NAT rule for every home), or create aliases and add your LAN IPs to them to group them eg. 10x10, 20x5 etc, and them use those aliases in your outbound NAT rules (so you would need one outbound NAT rule for every LAN IP alias.) I don't remember if you can use aliases for outbound NAT or not, so that's why I listed the two approaches I could think of.
-
I do this on several firewalls. It is pretty easy to do.
First, create the virtual IPs. In my case, I have a /24 that I use most of for a round robin NAT pool. I proxy arp these IPs. The /24 is subnetted into smaller blocks so I can carve out the other IP's I need for other services.
Then just create outbound NAT rules.
Remember to set the pool options in the rule, such as round robin, RR w/ sticky address, etc…
