Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Port forward through another pfSense

    Scheduled Pinned Locked Moved NAT
    11 Posts 3 Posters 775 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      Omikron
      last edited by

      Hi,

      I have a server, which is running proxmox as a hypervisor and a pfsense vm (pfsense A). I have a /29 public subnet which is routet to my main ip.
      Additionally, I have a server which is located at a private household, so with a daily switching public ip.
      My goal is to archive getting the traffic to and from a public ip on the second server.
      On the second server is also running a proxmox and a pfsense vm (pfSense B)

      I have established a OpenVPN tunnel between both hosts, pfsense A is the server, and B acts as the client.

      My goal is now to forward all traffic from a virtual ip on pfsense A to pfsense B, so pfsense B can act like it has a public ip and can port forward to its local hosts.

      Is this setup somehow possible?

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        Yes, you should be able to port forward to the OpenVPN IP on the pfSense B from pfSense A. No different to how you would forward to local host behind A.
        The OpenVPN client at B will need to be assigned as an interface so it gets a gateway etc in order that states are tagged 'reply-to'. Otherwise it will send replies out of it's WAN directly which will obviously fail.

        Steve

        1 Reply Last reply Reply Quote 0
        • O
          Omikron
          last edited by

          Is it possible to forward the completly portrange from 1-65535 to pfsense B to manage the portforwards to hosts connected to pfsense B only from pfsense B itself? Is this possible through a 1:1 NAT or through Portforwarding?

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            You could do either. 1:1 NAT is probably more appropriate from a public IP not used for anything else.

            1 Reply Last reply Reply Quote 0
            • O
              Omikron
              last edited by

              Ok, so I've setup a 1:1 NAT, but I'm not able to establish a connection to the pfsenseB through pfsenseA anymore.
              Have I done something wrong?
              pfSense A Rules
              pfsenseA_Rule.png
              pfSense A 1:1
              pfsenseA_1:1.png

              pfSense B Rules
              The OPENVPNTOOMIKRON is the interface I have assigned to the OpenVPN client.
              pfsenseB_Rules_OpenVPN.png

              The OpenVPN tunnel has been established. I have the IP 10.100.100.1 on pfsense A and 10.100.100.2 on pfsense B.
              I am able to ping between those addresses.

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Your firewall rule on pfSense A should be destination 10.100.100.2.

                Incoming traffic hits the 1:1 rule and then the firewall rules.

                Steve

                1 Reply Last reply Reply Quote 0
                • O
                  Omikron
                  last edited by

                  Ah okay, that was the issue. Now I'm able to make port forwards on IPv4.

                  What would be the procedure for IPv6? I have a /64 Subnet for the hole pfsense A environment. (So I cannot use the hole subnet for pfsense B)

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    Indeed you cannot use a /64 for that. If you can pull a larger prefix from your provider you could potentially use a /64 from that at site B and route it over the VPN.

                    Steve

                    1 Reply Last reply Reply Quote 0
                    • O
                      Omikron
                      last edited by

                      Okay so 2 last questions:

                      1. I assume, I can't split up the /64 subnet in let's say /80 for the pfsense B.
                      2. Is it possible to forward a port to a host, which doesn't have the pfsense as its gateway? This would be the case to forward e.g. the SSH Port from the Hypervisor.

                      Thanks for your time

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by johnpoz

                        @Omikron said in Port forward through another pfSense:

                        Is it possible to forward a port to a host, which doesn't have the pfsense as its gateway?

                        And how would the traffic get back.. You would have to host route on the device so it knows to send traffic back to pfsense. Or you would have to source nat the traffic so it looks like it came from pfsense, so the device would send the return traffic back to pfsense.

                        As to splitting a /64 - yeah that would be borked.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S
                          stephenw10 Netgate Administrator
                          last edited by

                          Yep, that ^. You can't split a /64 without expecting all sorts of problems.

                          You could set a very specific outbound NAT rule to workaround the asymmetric routing you would otherwise have with a device that isn't using pfSense as it's gateway. It would be better to avoid it but if you have no other option it could be done.

                          Steve

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.