Internal port redirect
-
Newbie question.
I'm trying to setup pfSense to redirect a port for a Dashy self hosted dashboard.
The port dashy is listening on is 4000 and I'm wanting to access it from my LAN on port 80 i.e. http://dashy.lan
It is only accessible internally from my LAN and does not have any open ports on my WAN.
I've tried using the NAT port forwarding but cant get the dammed thing to work. I know I need NAT reflection and I've tried NAT + Proxy and PureNAT.
I have reflection turned on in System -> Advanced -> Firewall & NAThttp://dashy.lan:4000 works fine
All the help topics and YouTube videos are about accessing internal ports from external devices but that's not what I am after.
Can anyone help. -
@Scarecrow4798 said in Internal port redirect:
The port dashy is listening on is 4000 and I'm wanting to access it from my LAN on port 80 i.e. http://dashy.lan
Why don't you just set it to listen on port 80?
-
@Scarecrow4798 nat reflection is never going to work unless dashy.lan resolves to a pfsense IP, normally nat reflection is used for stuff that resolves to your public IP and there is no way to have the client use a fqdn that resolves to your local IP.
haproxy could also be used, but again dashy.lan would have to resolve to a Pfsense IP vs just the local IP you have dashy running on.
I am with @viragomann why not just have it listen on 80 if that is the port you want to use?
Or why does is matter what port.. Just create a bookmark that points to it with port.. for example I run a dashboard docker (heimdall) and my bookmark just points to where its running http://nas.home.arpa:8056/
-
As im still learning its more a proof of concept so if it comes up on another port i know how to configure everything correctly
dashy.lan does resolve to a pfsense ip http://10.0.1.11
-
@Scarecrow4798 said in Internal port redirect:
its more a proof of concept
You can not reflect what pfsense doesn't see.. If dashy.lan resolve to say 192.168.1.100, and pfsense IP is 192.168.1.1, and its wan say 1.2.3.4
When you client on 192.168.1.50 tries to go to dashy.lan on 192.168.1.100 pfsense would never see this traffic to reflect it. I you want to reflect, dashy.lan would have to resolve to an IP on pfsense that it could reflect.. Or to a IP that goes through pfsense so it could redirect it. And if you don't change the reflection source IP to be pfsense your most likely going to run into a asymmetrical issue... Because 192.168.1.100 will send the traffic right to 192.168.1.50.. vs sending it back to pfsense to send back to 1.50
As a to a concept of reflection, it is an abomination to networking IMHO.. It can be used as a last resort work around when the client is forced to use say public dns and can not resolve a fqdn to the local address.. Of if it uses hardcoded IPs that go outside or to pfsense wan IP.. But in general you should avoid reflection or proxy when access resources that are local the network your on..
If your service can not listen on a standard port, say http 80 or 443 for https, and you can not run say a actual webserver that handles the host headers and serves up the specific site based on the fqdn being accessed or even say a 301 that tells the client hey your trying to access http://dashy.lan go here http://dashy.lan:4000
The simple solution is just use a bookmark that includes your oddball port in the url.
-
im getting a little lost
my pc is 10.0.1.9
pfsense 10.0.1.1/22
dashy 10.0.1.11dashy.lan resolves to 10.0.1.11
wan 192.168.0.2
pfsense has a DHCP server handing out ip addresses
-
@Scarecrow4798 said in Internal port redirect:
my pc is 10.0.1.9
pfsense 10.0.1.1/22
dashy 10.0.1.11so if .9 wants to talk to dashy at .11 - that traffic would never be seen by pfsense - so how could it ever "reflect" it or redirect it any way..
-
damn it that makes sense.
Would the best way of doing it then be to move dashy to another interface? VLAN?
-
@Scarecrow4798
You can also achieve this if both are on the same interface, but dashy.lan has to resolve the the pfSense LAN address and you have to translate the source address to avoid asymmetrical routing, as mentioned.
And since you don't forward dashy on WAN, as I understood, there is nothing to reflect. So you would have to create a port forwarding for it on the LAN.So dashy.lan points to pfSense LAN IP by your internal DNS.
The add a port forwarding rule to LAN:
destination: LAN address, port: 80
redirect target: 10.0.1.11, port 4000For the source translation go to outbound NAT and enable the hybrid mode and save this.
Add a rule on LAN:
source: any
destination: 10.0.1.11, port 4000
translation: interface address -
@Scarecrow4798 said in Internal port redirect:
Would the best way of doing it then be to move dashy to another interface? VLAN?
Sure if this dashy was on a different network that route through pfsense, you could redirect the traffic to a different port.
Seems like of trouble, that could be solved with a simple :port on your bookmark ;)
