• Hi all,

    I want to do NAT pooling, I have a /28 subnet on my WAN interface and at the moment I'm only using the one IP applied to the interface for NAT.

    So I've had a look at https://doc.pfsense.org/index.php/Outbound_NAT

    I have some questions I'm hoping someone with more experience than me can help, I've created an Alias using "hosts" for addresses and have added my usable addresses into the Alias, the above linked guide states that you can only use RoundRobin if you are using an Alias, does this mean I cannot use the RoundRobin but with sticky option?

    Then when I've tried using the Subnet option instead of an Alias I can see that it issues out the network address as one of the addresses in the pool, so for instance if my subnet is 192.168.77.112/28 then 192.168.77.112 is my non-usable network address…which is being issued out if I use a subnet pool. Can I set the subnet pool to 192.168.77.113/29 or will pfsense not read this properly since it's bogus?

    I'm reluctant to test too much as it's a live system, and when I tried this morning with Alias and RR_sticky I had lots of issues with certain network devices that MUST retain a single IP, which makes me think that the sticky does not work with Aliases. And when I tried with the modified subnet so that it would not issue out the network address it still seemed to do exactly that, which makes me think pfsense is ignoring the bogus subnet.

    As always any help much appreciated!

    tx

  • Rebel Alliance Developer Netgate

    @fusionp:

    I have some questions I'm hoping someone with more experience than me can help, I've created an Alias using "hosts" for addresses and have added my usable addresses into the Alias, the above linked guide states that you can only use RoundRobin if you are using an Alias, does this mean I cannot use the RoundRobin but with sticky option?

    RR+Sticky should work.

    @fusionp:

    Then when I've tried using the Subnet option instead of an Alias I can see that it issues out the network address as one of the addresses in the pool, so for instance if my subnet is 192.168.77.112/28 then 192.168.77.112 is my non-usable network address…which is being issued out if I use a subnet pool. Can I set the subnet pool to 192.168.77.113/29 or will pfsense not read this properly since it's bogus?

    What you are seeing is expected. You can't use subnet for NAT unless you literally have the entire subnet routed to the firewall. The NAT subnet could be some portion of a larger WAN subnet so long as it doesn't overlap the start or end (network address or broadcast!), which is hard to do inside a small subnet like that. Best to stick to an alias.

    @fusionp:

    I'm reluctant to test too much as it's a live system, and when I tried this morning with Alias and RR_sticky I had lots of issues with certain network devices that MUST retain a single IP, which makes me think that the sticky does not work with Aliases. And when I tried with the modified subnet so that it would not issue out the network address it still seemed to do exactly that, which makes me think pfsense is ignoring the bogus subnet.

    Sticky works you just likely hit an unexpected change when a client's states are gone:

    From pf.conf(5):

    Additionally, the sticky-address option can be specified to help ensure
        that multiple connections from the same source are mapped to the same re-
        direction address.  This option can be used with the random and
        round-robin pool options.  Note that by default these associations are
        destroyed as soon as there are no longer states which refer to them; in
        order to make the mappings last beyond the lifetime of the states,
        increase the global options with set timeout src.track.  See STATEFUL
        TRACKING OPTIONS for more ways to control the source tracking.

    So you might also need to enable sticky under System > Advanced > Misc and then set a higher source tracking timeout.


  • Thanks JimP

    I managed to set the aliases with sticky option and it does seem to work, I will see about setting the global sticky timeout for a longer period.

    I have Multi Wan balancing now, and some things just battle when they see requests come in from multi IP's, banking sites and IPTV systems. At times even setting the sticky options don't work as a website or service may have many IP's that it uses, pfsense then treats it as a new connection and it may go out a different WAN circuit, is there a way to keep multi WAN balancing but once a session from a private IP is initiated it then becomes sticky to the WAN interface that multi WAN balancing has initially chosen?