Re: Specifying Source in NAT rule

kextyn

Resurrecting an old topic here but this is the most recent topic I can find on this subject (out of 2 topics…)  I want to forward all traffic from a specific source IP to a LAN IP.  I know only a handful of people would need this but I just happen to be in there.  So has any work been done on a feature to support this?

Specifically this is what I want to do:
http://www.dslreports.com/forum/r22707381-

I'm assuming that even putting the Actiontec on the DMZ and only allowing traffic from www36.verizon.com to that interface with a rule wouldn't work.

GruensFroeschli

What you want is different from the original thread and should be no problem.
Just create the normal port forward and modify the corresponding firewall rule to only allow your specified source IP.

kextyn

I could be wrong but I don't think that's going to work.  If I create a NAT rule it would basically forward all traffic except port 80 to the one IP.  I don't have a source port, only a source IP.

GruensFroeschli

Where are you creating a port forward?

In a normal portforward you specify:
IP on which the pfSense listens (external IP)
Port on which the pfSense listens (external port(range) )
IP to which the pfSense forwards (internal IP)
Port to which the pfSense forwards (internal port(range) )

Your external client access the external IP of the pfSense with the external port.
You normally dont forward "every port except 80".

When you create such an NAT rule, usually (if you check the according checkbox) a firewall rule corresponding with the NAT rule will be autocreated with:
source_IP: any
source_port: any
destination_IP: internal_server_IP
destination_port: internal_server_port

you can now change this rule so it looks like:
source_IP: your_allowed_external_IP
source_port: any
destination_IP: internal_server_IP
destination_port: internal_server_port

Like this, there will be an NAT forwarding for "everyone", but the firewall ensures that only your allowed IP can actually use this forward.

Or could you show a screenshot how you configured it?

kextyn

I was under the impression that NAT forwarding and rules worked sort of independently of each other.  So if I create a port forward for all traffic but port 80 to go to a single LAN IP it would send it all there regardless of what the firewall rules stated.  But then the firewall would kick in and block anything not coming from www36.verizon.com (assuming I have the firewall rules setup to block all but what I want on that IP) and the traffic from any other location wouldn't know where to go.  If this will work I'll try it but in my head it just doesn't make sense.

I want all traffic from www36.verizon.com (except port 80) to be redirected to a single LAN IP.  But the NAT forwarding is pretty useless in this case because you can't specify where the traffic is coming from, only what port it's going to.  I guess it would have to be like a reverse proxy filtering all traffic from that address.

GruensFroeschli

Well yes they work independantly of eath other.
But it still means: you need to forward traffic (by the NAT rule) AND you need to allow it (by the firewall rule).

Think of it as two layers.
Layer1 modifies the packets. This is NAT. This happens regardless if the traffic is allowed. Layer1 doesnt care about what it moddifies.
Layer2 checks if the packets are allowed. This is the firewall. This is applied to each packet going through the pfSense.

Hagabard

Here is what I would like to do when specifying source in a NAT rule:

IF: WAN
Proto: TCP
Source: aliasORsubnetORipaddress
Ext Port range: 22
NAT IP: 192.168.1.x
Int Port range: 22
Description: redirect specific IPs to 192.168.1.x

IF: WAN
Proto: TCP
Source: *
Ext Port range: 22
NAT IP: 192.168.1.y
Int Port range: 22
Description: redirect unknown ips to 192.168.1.y

Thus redirecting specific ips/hosts (good place for an alias) to one ssh server (as an example, with PermitRootLogin=yes for backup or other fun stuff) and everything else to another ssh server without having to specify ports (with corresponding rules in pfsense) from the command line.

I don't think I can do this (since source is not a NAT option) but it sure would seem like it should be an option.

GruensFroeschli

Yes its not possible to NAT To different servers based on the source.
But this is something else than originally described in this thread.

Why would you need this?
Why cant you forward externally on a different port to the correct internal port?

kextyn

That's exactly what I need to do Hagabard.  The reason I have to do it like that is because I can't find a definitive answer on how to get remote DVR to work without using the Verizon Actiontec router as my primary router in it's unmodified state.  The linked post in my first post here is the only one I can find where someone has done it successfully.  If I knew exactly which ports were used I'd just forward those.  But I can't really test it much at the moment because I'm having issues with 1.2.3 on my ALIX.

Hagabard

@GruensFroeschli:

Yes its not possible to NAT To different servers based on the source.
But this is something else than originally described in this thread.

Why would you need this?
Why cant you forward externally on a different port to the correct internal port?

Oh I can, it would just be nice (less options on the rsync command line and so on)

Sorry for the thread jacking!