[SOLVED] Source port rewriting: possibility to limit range?

alh · November 03, 2023, 09:18:36 AM

I use OPNsense behind a stateless firewall. I noticed that the source port randomization does not stick to the ephemeral port range (e. g. TCP 32768-65535) but seems to be using anything > 1024 (FreeBSD AFAIK uses 49152-65535 only). So I was wondering if there is a possibility to set the port range that can be used as ephemeral port range in OPNsense or if I need to disable source port rewriting or open up the whole range (>1024) in the stateless firewall. Thanks for your input.

Monviech (Cedrik) · November 03, 2023, 09:29:24 AM

Do you mean the source port randomization of NAT Overload (aka MASQ, Outbound NAT, SNAT)?

I think you can put something like 50000:60000 as range in "Translation / Port" in a manual "Firewall: NAT: Outbound rule" to limit the NAT pool to this range. But I never did it before, the configuration seems to accept it though.

meyergru · November 03, 2023, 11:02:41 AM

If you want to set it globally, have a look at: "sysctl net.inet.ip.portrange".

However, be aware that the ancient portrange of 49152-65535 has been abolished around FreeBSD 11.1 for a good reason, as with firewalls, you probably need more ephemeral ports for NAT and other purposes.

alh · November 03, 2023, 01:22:05 PM

Thanks a lot for your reply. I will play with this a little bit and feedback here.

alh · November 04, 2023, 09:11:29 PM

Both options do the job. Thanks a lot.

[SOLVED] Source port rewriting: possibility to limit range?

alh

November 03, 2023, 09:18:36 AM Last Edit: November 04, 2023, 09:11:46 PM by alh

Monviech (Cedrik)

November 03, 2023, 09:29:24 AM #1

meyergru

November 03, 2023, 11:02:41 AM #2

alh

November 03, 2023, 01:22:05 PM #3

alh

November 04, 2023, 09:11:29 PM #4