Project

General

Profile

Feature #701

Interface groups with NAT

Added by Chris Buechler over 6 years ago. Updated over 3 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Rules/NAT
Target version:
Start date:
06/26/2010
Due date:
% Done:

0%


Description

In some scenarios it would be helpful to use interface groups with NAT (rdr and outbound).

Peplink_Balance_Web_Administration_Interface.png (116 KB) Max Mustermann, 07/31/2010 07:05 PM

Associated revisions

Revision a086178f
Added by erwin over 1 year ago

Update to 4.1.6

Major Bug Bug Fixes:
- This release fixes segfault after start when many interfaces are in use.
- This version returns the EDNS bad version response with the AD flag
unset for improved conformance.

Minor Buf Fixes:
- Fix #701: Fix that AD=1 set in a BADVERS response.
- Fix typo in zonec.c inside error message.
- Fix #711: Document that debug-mode yes is used for staying
attached to the supervisor console.
- Document verbosity 3 prints more information.
- nsd-checkconf warns for master zones with no zonefile statement.
- Fix start failure when many file descriptors are in use.
- The servfail rcode is not printed with a space in the middle.
- print failed token for config syntax error or parse error.

PR: 204533
Submitted by: Jaap Akkerhuis <> (maintainer)
Sponsored by: DK Hostmaster A/S

History

#1 Updated by Erik Fonnesbeck over 6 years ago

This probably shouldn't be too hard to implement. With port forwards it will probably need code for separating the group into the member interfaces. Outbound NAT might need that, too. I'm not quite sure whether using interface groups is useful with outbound NAT, but if it is implemented, it may need a separate line in rules.debug for each interface in the group.

#2 Updated by Max Mustermann over 6 years ago

For users previously using Peplink Balance routers, all WAN can be selected in the screen where rules are edited. Instead of creating a rule for each WAN link, the Peplink way is to create a rule and select one, more or all WAN interfaces with checkboxes. See attached screenshot.

#3 Updated by Max Mustermann over 6 years ago

BTW: 17 out of 18 (94%) out of our port forwarding rules are for all WAN links, and could benefit from being addressable by group name.

#4 Updated by Max Mustermann over 6 years ago

Current 20100731-1322 implementation is incorrect:
- having 'WAN1', 'WAN2' and 'WAN' as grouping of WAN1+WAN2
- <firewall_nat.php> can create a rule for WAN1
- creating an associated filter rule, creates one for WAN1 (= correct)
- now the associated filter rule can be edited, where interface WAN1 is changed to group WAN <firewall_rules_edit.php?id=1>
- after saving this, <firewall_nat.php> now displays 'WAN' && <firewall_nat_edit.php?id=0> displays 'WAN1' as interface (!= correct); html source of <firewall_nat_edit.php?id=0> shows: <option selected="" value="wan">WAN1</option>

#5 Updated by Bipin Chandra over 3 years ago

can this be implemented like under NAT port forward page u select the interface group and the pfsense creates same rules under all wan interfaces separately but under NAT port forward just show one entry with the interface group?

Also available in: Atom PDF