Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Port rewriting

    Scheduled Pinned Locked Moved NAT
    5 Posts 2 Posters 3.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tlum
      last edited by

      I'm trying to remap a public UDP port to a different private port; i.e. 74.1.1.1:12345 -> 192.168.1.1:1000

      I've entered the rule and allowed it to generate the linked firewall rule. The rule fails to pass the traffic because apparently NAT fails to remap the port and the rule passes the destination port not the source port which seems to be what is hitting the firewall rule and being rejected.

      This instance has been set up and running for years and is now on v2.x. There are many other NAT rules in place that are working fine, though all of them NAT just the address.

      Should this work?

      1 Reply Last reply Reply Quote 0
      • T
        tlum
        last edited by

        Actually, I just noticed that I do have another NAT rule that forwards a public port to a different private port and this rule has been in place and working for 4 years - was originally set up under v1.x if that makes a difference. The only material difference between the old rule that works and the new one I just entered is the original rule is TCP and the new one is UDP. Is this a limitation of pfSense?

        Is there a way to dump the NAT table to see what the GUI actually set up?

        1 Reply Last reply Reply Quote 0
        • T
          tlum
          last edited by

          So, this does not work:

          rdr on bge0_vlan10 inet proto udp from any to 74.1.1.1 port 1024:1030 -> 192.168.20.1
          rdr on bge0_vlan10 inet proto udp from any to 74.1.1.1 port = 1234 -> 192.168.20.1
          rdr on bge0_vlan10 inet proto udp from any to 74.1.1.1 port = 2222 -> 192.168.20.1 port 1234
          rdr on bge0_vlan5 inet proto udp from any to 74.1.1.1 port = 2222 tag PFREFLECT -> 127.0.0.1 port 19007
          rdr on bge0_vlan2 inet proto udp from any to 74.1.1.1 port = 2222 tag PFREFLECT -> 127.0.0.1 port 19007
          rdr on bge0_vlan6 inet proto udp from any to 74.1.1.1 port = 2222 tag PFREFLECT -> 127.0.0.1 port 19007
          rdr on bge0_vlan20 inet proto udp from any to 74.1.1.1 port = 2222 tag PFREFLECT -> 127.0.0.1 port 19007
          rdr on bge0_vlan30 inet proto udp from any to 74.1.1.1 port = 2222 tag PFREFLECT -> 127.0.0.1 port 19007
          rdr on openvpn inet proto udp from any to 74.1.1.1 port = 2222 tag PFREFLECT -> 127.0.0.1 port 19007
          

          This does work:

          rdr on bge0_vlan10 inet proto udp from any to 74.1.1.1 port 1024:1030 -> 192.168.20.1
          rdr on bge0_vlan10 inet proto udp from any to 74.1.1.1 port = 1234 -> 192.168.20.1
          rdr on bge0_vlan10 inet proto udp from any to 74.1.1.2 port = 2222 -> 192.168.20.1 port 1234
          rdr on bge0_vlan5 inet proto udp from any to 74.1.1.2 port = 2222 tag PFREFLECT -> 127.0.0.1 port 19007
          rdr on bge0_vlan2 inet proto udp from any to 74.1.1.2 port = 2222 tag PFREFLECT -> 127.0.0.1 port 19007
          rdr on bge0_vlan6 inet proto udp from any to 74.1.1.2 port = 2222 tag PFREFLECT -> 127.0.0.1 port 19007
          rdr on bge0_vlan20 inet proto udp from any to 74.1.1.2 port = 2222 tag PFREFLECT -> 127.0.0.1 port 19007
          rdr on bge0_vlan30 inet proto udp from any to 74.1.1.2 port = 2222 tag PFREFLECT -> 127.0.0.1 port 19007
          rdr on openvpn inet proto udp from any to 74.1.1.2 port = 2222 tag PFREFLECT -> 127.0.0.1 port 19007
          

          Basically, its not hard to write conflicting rules. I guess pf gets confused so I had to hang the port alias off a different IP.

          1 Reply Last reply Reply Quote 0
          • T
            tlum
            last edited by

            Well, the different IP didn't work either. Sure, the redirect was working. But, ALL of the public traffic MUST use ONE IP address since this is a SIP application that requires header rewriting because of NAT. So, I simply did the port redirect on the destination host which is a Linux box where iptables was much better behaved and actually did what pf wouldn't.

            iptables -t nat -A PREROUTING -i vlan20 -p udp --dport 22222 -j REDIRECT --to-port 5060
            
            1 Reply Last reply Reply Quote 0
            • C
              cmb
              last edited by

              What you're attempting works fine with pf, not enough there to tell you why it isn't working in that case.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.