[SOLVED] Source port rewriting: possibility to limit range?

[alh]

I use OPNsense behind a stateless firewall. I noticed that the source port randomization does not stick to the ephemeral port range (e. g. TCP 32768-65535) but seems to be using anything > 1024 (FreeBSD AFAIK uses 49152-65535 only).  So I was wondering if there is a possibility to set the port range that can be used as ephemeral port range in OPNsense or if I need to disable source port rewriting or open up the whole range (>1024) in the stateless firewall. Thanks for your input.

[Monviech (Cedrik)]

Do you mean the source port randomization of NAT Overload (aka MASQ, Outbound NAT, SNAT)?

I think you can put something like 50000:60000 as range in "Translation / Port" in a manual "Firewall: NAT: Outbound rule" to limit the NAT pool to this range. But I never did it before, the configuration seems to accept it though.

[meyergru]

If you want to set it globally, have a look at: "sysctl net.inet.ip.portrange".

However, be aware that the ancient portrange of 49152-65535 has been abolished around FreeBSD 11.1 for a good reason, as with firewalls, you probably need more ephemeral ports for NAT and other purposes.

[alh]

Thanks a lot for your reply. I will play with this a little bit and feedback here.

[alh]

Both options do the job. Thanks a lot.