Port rewriting

tlum

I'm trying to remap a public UDP port to a different private port; i.e. 74.1.1.1:12345 -> 192.168.1.1:1000

I've entered the rule and allowed it to generate the linked firewall rule. The rule fails to pass the traffic because apparently NAT fails to remap the port and the rule passes the destination port not the source port which seems to be what is hitting the firewall rule and being rejected.

This instance has been set up and running for years and is now on v2.x. There are many other NAT rules in place that are working fine, though all of them NAT just the address.

Should this work?

tlum

Actually, I just noticed that I do have another NAT rule that forwards a public port to a different private port and this rule has been in place and working for 4 years - was originally set up under v1.x if that makes a difference. The only material difference between the old rule that works and the new one I just entered is the original rule is TCP and the new one is UDP. Is this a limitation of pfSense?

Is there a way to dump the NAT table to see what the GUI actually set up?

tlum

So, this does not work:

rdr on bge0_vlan10 inet proto udp from any to 74.1.1.1 port 1024:1030 -> 192.168.20.1
rdr on bge0_vlan10 inet proto udp from any to 74.1.1.1 port = 1234 -> 192.168.20.1
rdr on bge0_vlan10 inet proto udp from any to 74.1.1.1 port = 2222 -> 192.168.20.1 port 1234
rdr on bge0_vlan5 inet proto udp from any to 74.1.1.1 port = 2222 tag PFREFLECT -> 127.0.0.1 port 19007
rdr on bge0_vlan2 inet proto udp from any to 74.1.1.1 port = 2222 tag PFREFLECT -> 127.0.0.1 port 19007
rdr on bge0_vlan6 inet proto udp from any to 74.1.1.1 port = 2222 tag PFREFLECT -> 127.0.0.1 port 19007
rdr on bge0_vlan20 inet proto udp from any to 74.1.1.1 port = 2222 tag PFREFLECT -> 127.0.0.1 port 19007
rdr on bge0_vlan30 inet proto udp from any to 74.1.1.1 port = 2222 tag PFREFLECT -> 127.0.0.1 port 19007
rdr on openvpn inet proto udp from any to 74.1.1.1 port = 2222 tag PFREFLECT -> 127.0.0.1 port 19007

This does work:

rdr on bge0_vlan10 inet proto udp from any to 74.1.1.1 port 1024:1030 -> 192.168.20.1
rdr on bge0_vlan10 inet proto udp from any to 74.1.1.1 port = 1234 -> 192.168.20.1
rdr on bge0_vlan10 inet proto udp from any to 74.1.1.2 port = 2222 -> 192.168.20.1 port 1234
rdr on bge0_vlan5 inet proto udp from any to 74.1.1.2 port = 2222 tag PFREFLECT -> 127.0.0.1 port 19007
rdr on bge0_vlan2 inet proto udp from any to 74.1.1.2 port = 2222 tag PFREFLECT -> 127.0.0.1 port 19007
rdr on bge0_vlan6 inet proto udp from any to 74.1.1.2 port = 2222 tag PFREFLECT -> 127.0.0.1 port 19007
rdr on bge0_vlan20 inet proto udp from any to 74.1.1.2 port = 2222 tag PFREFLECT -> 127.0.0.1 port 19007
rdr on bge0_vlan30 inet proto udp from any to 74.1.1.2 port = 2222 tag PFREFLECT -> 127.0.0.1 port 19007
rdr on openvpn inet proto udp from any to 74.1.1.2 port = 2222 tag PFREFLECT -> 127.0.0.1 port 19007

Basically, its not hard to write conflicting rules. I guess pf gets confused so I had to hang the port alias off a different IP.

tlum

Well, the different IP didn't work either. Sure, the redirect was working. But, ALL of the public traffic MUST use ONE IP address since this is a SIP application that requires header rewriting because of NAT. So, I simply did the port redirect on the destination host which is a Linux box where iptables was much better behaved and actually did what pf wouldn't.

iptables -t nat -A PREROUTING -i vlan20 -p udp --dport 22222 -j REDIRECT --to-port 5060

cmb

What you're attempting works fine with pf, not enough there to tell you why it isn't working in that case.