Creating relayd relays instead of redirections?
-
No need for relayd there.
Just use a port forward and add an outbound NAT rule on the LAN side that will NAT the traffic heading toward that server to an IP on the LAN (either the firewall's LAN IP, or another VIP you have on the LAN subnet.
EDIT: Note that you'll have to switch to manual outbound NAT in order to add that rule and have it work.
-
Thanks! Do I need a Virtual IP also?
-
Only if you want the traffic to come from a different IP than the LAN IP of the firewall.
You lose the source IP in the process, because of the NAT, so you might want to put that on another IP just so it's easy to distinguish.
-
Not working yet. Can you give me a little more detail on how to accomplish this? I'm trying to forward port 3389 (RDP) to a machine on 192.168.3.6. My pfSense firewall is on 192.168.3.254 with, say, public ip 123.123.123.123. I have selected "AON - Advanced Outbound NAT". I can successfully forward ports to other machines on the LAN as long as they're using the pfSense LAN IP as the default gateway so I know things are working otherwise.
Is the NAT port forward set up just like any other would be? (interface=WAN, Destination Type=any, redirect port range=3389-3389, redirect target ip=192.168.3.6, target port=3389)
What about the outbound mapping? Should the source and destination types be "any" or "network"? Translation is what? "any"? how about checking that "static port" box?
Thanks!
Andrew
-
You're close. On that last rule, make the source IP and port "any", the destination 192.168.3.0/24, destination port 3389, nat port "any"
-
Looks like that did it. Thanks a lot for the help!
-Andrew -
I originally created a port forward to machine "A" on my LAN which uses pfSense as its default gateway. It worked. I next created a port forward to machine "B" which uses a differnt default gateway and it didn't work. I selected "AON - Advanced Outbound Nat" and added a mapping so the daemon on "B" could be reached. Now A and B both work. I added another port forward to machine "C" which, like box "A", uses pfSense as its default gateway. It didn't work. I can only think this is because with AON selected "no outbound NAT rules will be automatically generated any longer". I presume an outbound rule specific to "A" was automatically generated when I first forwarded to "A" before selecting AON.
Where is that rule held?
If I could see that rule I could more easily duplicate it for "C". Nothing specific to the "A" forward was added to Outbound Mappings so I can only assume it's stored elsewhere.
Thought perhaps I can't access "C" because there is a firewall rule permitting me to hit "A" which is not in place for "C". Took a look and it appears that an identical firewall rule has been automatically generated for each forwarded port.
The Cisco RVS4000 will by default forward ports to machines not using it as the default gateway. Can pfSense(or relayd?) be made to behave that way too?
Thanks,
Andrew -
Normally when switching from Auto to Manual, it populates the rule list automatically with the equivalent set of rules. On 2.0 it does a much better job of that.
Outbound rules would have only been generated on connections with gateways selected (meaning WAN-types)
-
Is that auto-populating not working? because the "A" forward was in place when I changed and the attached image is of the only mappings I see. All my Port Forwards have If=WAN.
-
Then there was no outbound NAT for that. Outbound NAT wouldn't have anything to do with a normal port forward, so it probably wasn't doing any.
-
Just realized that if I change my dest port in my outbound NAT rule to "any" I don't need a rule for each port forward I add. Fantastic. I though I was going to have to add an outbound entry for each port forward when in fact I just need this one…
-
That will NAT things that may not need it, though, not just things that don't have the gateway set. That's up to you though.