Feature #701


Interface groups with NAT

Added by Chris Buechler almost 14 years ago. Updated almost 2 years ago.

Rules / NAT
Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Release Notes:


In some scenarios it would be helpful to use interface groups with NAT (rdr and outbound).


Actions #1

Updated by Erik Fonnesbeck almost 14 years ago

This probably shouldn't be too hard to implement. With port forwards it will probably need code for separating the group into the member interfaces. Outbound NAT might need that, too. I'm not quite sure whether using interface groups is useful with outbound NAT, but if it is implemented, it may need a separate line in rules.debug for each interface in the group.

Actions #2

Updated by Max Mustermann almost 14 years ago

For users previously using Peplink Balance routers, all WAN can be selected in the screen where rules are edited. Instead of creating a rule for each WAN link, the Peplink way is to create a rule and select one, more or all WAN interfaces with checkboxes. See attached screenshot.

Actions #3

Updated by Max Mustermann almost 14 years ago

BTW: 17 out of 18 (94%) out of our port forwarding rules are for all WAN links, and could benefit from being addressable by group name.

Actions #4

Updated by Max Mustermann almost 14 years ago

Current 20100731-1322 implementation is incorrect:
- having 'WAN1', 'WAN2' and 'WAN' as grouping of WAN1+WAN2
- <firewall_nat.php> can create a rule for WAN1
- creating an associated filter rule, creates one for WAN1 (= correct)
- now the associated filter rule can be edited, where interface WAN1 is changed to group WAN <firewall_rules_edit.php?id=1>
- after saving this, <firewall_nat.php> now displays 'WAN' && <firewall_nat_edit.php?id=0> displays 'WAN1' as interface (!= correct); html source of <firewall_nat_edit.php?id=0> shows: <option selected="" value="wan">WAN1</option>

Actions #5

Updated by Bipin Chandra almost 11 years ago

can this be implemented like under NAT port forward page u select the interface group and the pfsense creates same rules under all wan interfaces separately but under NAT port forward just show one entry with the interface group?

Actions #6

Updated by Jason Tackaberry about 6 years ago

I was evaluating pfsense to replace my homebrew Linux router/firewall. I have 3 internet facing interfaces and a large enough number of port forwards that apply to all of them. Interface groups are a great concept indeed but unfortunately they're neutered due the lack of support in NAT rules. With the current solution it appears I would need to maintain each port forward rule in triplicate. Suddenly my iptables bash script doesn't seem so bad. :)

So I'll stick with my Linux router for now, but wanted to chime in on this 8-year-old feature request to say that at least one random guy on the Internet is still interested in it. :)

Actions #7

Updated by Suriname Clubcard almost 2 years ago

Was this ever implemented? Status still "open" after >12 years...

Actions #8

Updated by Marcos M almost 2 years ago

Interface groups may be selected in port forwards, though there isn't a destination selection for "Interface Address" - the selection of "This Firewall (self)" may be useful.

Interface groups may also be selected in Outbound NAT and there is a selection for "Interface Address". This has the effect of SNAT'ing the traffic in a seemingly round-robin way when exiting any of the interfaces within the group. For example, with an interface group of WAN1 and WAN2, traffic may exit WAN1 SNAT'ed as the WAN2 interface address.


Also available in: Atom PDF