1:1 NAT - Host range vs. subnet
-
I'm migrating to pfSense from Watchguard. Our firewall has three WAN interfaces. Each is configured with 1:1 NAT to a corresponding OPT (DMZ) interface. On Watchguard, you are given three choices for 1:1 NAT - single host, host range, or network. Example: WAN1's public IPs are 65.169.139.0/24, OPT1's private IPs are 192.168.139.0/24. The external gateway is 65.169.139.1 and the WAN1 interface is 65.169.139.254. The OPT1 interface is 192.168.139.254. I'm using host range with the ranges specified as 65.169.139.2-65.169.139.253 and 192.168.139.2-192.168.139.253. I don't see a similar option to host range in pfSense. So I'm pretty much left with choosing network (or adding 252 single entries :o ). My question is - will this cause me problems since network includes both .1 (the external gateway) and .254 (the external interface)? I'm not using hosts on OPT1 with either of the two corresponding addresses.
-
I don't see a way to do that, either. Another reason routed subnets are better than large interface networks.
You shouldn't have to create 252 NAT entries though. You just have to be creative in your subnetting.
If you look at making a firewall alias, you can tell it to make a Network alias for 65.169.139.2-65.169.139.253. It will generate the alias using as few subnets as possible to cover the range.
Again, unfortunately, you cannot use an alias in a NAT rule for whatever reason, but you can use the above to help generate as few rules as necessary.
This is what I get in 2.2.4:
-
Thanks - I'll investigate that idea. I was also thinking I could create just one entry, then backup the config, and write a small utility to generate the rest of the ranges. The config is a XML file, right? Should be fairly simple once I know the structure.
