Simple internal NAT - Can't port forward on internal LAN

bgillette · Jul 21, 2020, 3:45 PM

Am using PFSense 2.4.5 on a large home network and trying to do something i would have thought is fairly simple, but can't get it to work.
I have a NAS on the network that runs many different applications, and because i'm just basically lazy :) i want to be able to open this application running on a high port # by just typing in a host name from any browser device on my LAN. The host name of the NAS is myNAS.mylan.bg and it is running on ip address 192.168.1.5 and pfsesnse is running on 192.168.1.1 . the application i want to get to is running on port 68111. I thought i could just setup a port forwarding rule in pfsense to forward anything on my lan for port 80 (default) to port 68111 for this ip address. but that doesn't work.
In the port forwarding rule i have:
Interface: LAN
Protocol: TCP
Source : any/any
Desitnation: single host or alias: 192.168.1.5
destination port range: other: from: 80 to: 80
Redirect target IP: 192.168.1.5
redirect target port: other: 68111
NAT refletion: default

but its a no go.
Should this work? i'm fairly new to using Pfsense.

viragomann · Jul 21, 2020, 4:13 PM

@bgillette said in Simple internal NAT - Can't port forward on internal LAN:

the application i want to get to is running on port 68111

Awesome! My NAS has no more than 65536 ports.

If the NAS is connected to the same network interface on pfSense as the computer you want to forward to it, forget it and type in the port number or set a browser bookmark.
Forwarding can only be done properly from one interface to another one.
Possibly you can do a workaround with masqerading the source IP, but that's a dirty trick in my opinion.

bgillette · Jul 21, 2020, 4:19 PM

thanks! didnt' realize that on port forwarding. thought i could forward any traffic to any port i wanted with port forwarding.
(I used a different port # for this post for the sake of security)..the port # in reality is much lower.

akuma1x · Jul 21, 2020, 4:29 PM

@bgillette said in Simple internal NAT - Can't port forward on internal LAN:

thanks! didnt' realize that on port forwarding. thought i could forward any traffic to any port i wanted with port forwarding.

You technically CAN do that, but from 1 interface to another different interface. With both the server (NAS) and the other computer on the SAME interface, like @viragomann says, just type the IP address plus the port number.

As an example, on my LAN network I have a Plex Media Server. To access it from another computer on the same network, I type the following: http://172.16.0.80:32400

This goes directly to the main Plex screen and let's me do the configuring I would normally do on the server machine itself. Make sense now?

Jeff

bgillette · Jul 21, 2020, 4:53 PM

Thanks Jeff, sounds like my setup is similar. The nas has plex running on it on 32400, as well as many other applications...all on different ports. the admin console for it is what i am trying to make it easy to access for me but on a non-standard port, as some hacker has my # and i have been changing ports from 80, to 8080, to 4040, etc. for awhile and someone still keeps finding those easier ports. so i made the port # for the admin console a high port # and no repeating characters (like 4040) to try and keep it somewhat hidden). because of this the port # is not very easy to remember.
on my el-cheapo $100 retail router i could do this with port forwarding, but couldn't get it to work with PFSense.
Sounds like bookmarking is the only other option.

akuma1x · Jul 21, 2020, 5:12 PM

@bgillette said in Simple internal NAT - Can't port forward on internal LAN:

Sounds like bookmarking is the only other option.

Yes, just bookmark the server in your browser(s).

What do you mean "a hacker has your number"? Do you have your WAN interface open to allow access into your network? If so, this is very bad...

Jeff

bgillette · Jul 21, 2020, 5:37 PM

well i had my NAS admin exposed so i could access it remotely. for the past few weeks when i login to it i get the errors about some user from some outside ip address trying to break into the admin application and not entering the correct password. luckily the password is very difficult. but somehow he/they have found my public facing ip address and attempt to break-in to the admin app on my NAS.

akuma1x · Jul 21, 2020, 6:33 PM

@bgillette Ok, got it.

To access an internal LAN machine from the outside (internet) you should really use a VPN server on your pfsense firewall box. Pick either IPSEC or OpenVPN, either one will work. IPSEC is typically faster and I believe is natively supported on most operating systems (phones included), whereas OpenVPN you typically have to download/install software first on your device to access your network.

There are many guides on the internet, pfsense has them as well, for setting up this type of access. Then, you won't get hackers in your servers and systems, and you don't have to play around with changing port numbers and stuff. By the way, it's REALLY easy for somebody, after they figure out your public-facing IP address, to run a scan for EVERY open port you have. So, there's really no hiding your open ports. You have to use proper firewall tools on the internal side of your internet connection to keep the unwanted people out.

Jeff

johnpoz · Jul 21, 2020, 7:18 PM

@bgillette said in Simple internal NAT - Can't port forward on internal LAN:

well i had my NAS admin exposed so i could access it remotely

Would never in a million years expose nas admin to the public internet.. If you can not lock down forward to a known source IP, say your work, or where you remotely admin from.. Then VPN into to do your remote administration.