Forward specific external IP to Internal IP.

GruensFroeschli

~~This is currently not implemented in the WebGUI.

I think there was somewhere a thread how you could hack that manually into the pf-config file, but i dont remember where…~~

I thought this was about source-dependant selection of a different server.
Ignore the above ^^"

jimp

It should be possible with normal port forwards, if I'm reading the question properly.

Just add a Virtual IP address for your additional IPs, and then they will be available under the "External Address" drop-down when making a port forward.

Pick the external IP, the port(s) for RDP, then type in the internal IP and port you want to go with it, and check the box to add the firwall rule. Should be pretty straightforward.

Vorkbaard

You can do this by making 1:1 mappings. First, go to Firewall, Virtual IPs and make a CARP entry for each external IP you have.

Like this:

Type: CARP
Interface: WAN
IP Addresse(s): Address: [your external IP here] / 32 (/32=one address)
Virtual IP Password: just make something up here
VHID Group: make something up. I use a unique group for all my addresses. Not sure what this does but how I do it, it works for me :)
Advertising Frequency: 0
Description: not parsed, enter a sensible description here

Then go to Firewall, NAT, 1:1
Make a new entry. Interface: WAN
External Subnet: [your external IP address here] / 32
Internal Subnet: 192.168.1.1 (your internal machine)
Description: some description

Then enter a firewall rule to allow RDP traffic from the external address to internal:
Firewall, Rules (not NAT!), WAN
Enter your allow-rule here.

Good luck :)

/edit
jimp is also right, you can use NAT to map an external IP different than the external IP of the pfSense box. I did it the way I did because I wanted the external machines to have the complete IP address, so they would be pingable from outside.

jimp

@Vorkbaard:

You can do this by making 1:1 mappings. First, go to Firewall, Virtual IPs and make a CARP entry for each external IP you have.

This should work with any type of VIP, not just CARP, and 1:1 isn't really needed either unless you want the outbound traffic from those servers to also appear to originate from the external IPs you are working with.

Vorkbaard

@jimp:

@Vorkbaard:

You can do this by making 1:1 mappings. First, go to Firewall, Virtual IPs and make a CARP entry for each external IP you have.

This should work with any type of VIP, not just CARP, and 1:1 isn't really needed either unless you want the outbound traffic from those servers to also appear to originate from the external IPs you are working with.

Indeed, I need traffic from those servers to appear to originate from their specific IP's :) Should have mentioned that - it's just how I got it working.

joemcgivern

Hi All,

Many thanks for the response.

I have tried to add the VIP but when I add a CARP address I get the following error.

Sorry, we could not locate an interface with a matching subnet for 89.xx.1xx.72/32. Please add an ip in this subnet on a real interface.

Any ideas ?

jimp

CARP VIPs have to be in the same subnet as your WAN. If you have IPs in a different subnet, use Proxy ARP or "Other" type VIPs.

joemcgivern

I have now added it in as Proxy Arp..

I have a NAT going from VIP to 192.168.1.2 but still brings me to 192.168.1.1

I have also tried setting the VIP as other..

Do I need to restart the PF..

jimp

It might help to see a screen capture of your port forward screen, someone might be able to spot an issue. A screen capture of the port forward editing screen for that rule wouldn't hurt, either.

joemcgivern

JPEG of screen dump attatched..

jimp

What about the other view? (the list of port forwards)

joemcgivern

port forward


Vorkbaard

Did you create the according firewall rule?