Arbitrary port forwarding between WAN and LAN subnets



  • Quick question: can pfSense do this, and what is the best strategy for configuring something like that?

    Say, I have a whole public IPv4 subnet (with more than one usable IP) on the WAN interface. And I want to arbitrarily route different WAN IP and port combinations to different LAN IP and port combinations. So, a few simplified examples would be like follows (IP addresses are used for illustration only and any matches with real IP addresses are coincidental):

    104.40.155.10:443  196.168.0.1:44301
    104.40.155.11:443  196.168.0.1:44302
    104.40.155.10:25  196.168.0.2:25
    104.40.155.11:25  196.168.0.2:25

    In this example the 196.168.0.1 runs an HTTPS web server that serves two different non-SNI websites that are accessible on the two different IP addresses on the wan, but on two different port numbers on the same IP on the LAN. At the same time SMTP traffic on any of the WAN IPs is routed to the one other server on the LAN.

    What is the best way to make something like this working? I was thinking Virtual IPs and Manual Outbound NAT…

    Is the port 25, SMTP, example possible at all with pFsense? If not, I can multihome the SMTP server; but I still want to arbitrarily send different WAN IP:Port combinations around the LAN; in other words pFsense 1:1 NAT would not fit the purpose.

    Thanks.


  • Netgate

    @G.D.:

    Quick question: can pfSense do this, and what is the best strategy for configuring something like that?

    Say, I have a whole public IPv4 subnet (with more than one usable IP) on the WAN interface. And I want to arbitrarily route different WAN IP and port combinations to different LAN IP and port combinations. So, a few simplified examples would be like follows (IP addresses are used for illustration only and any matches with real IP addresses are coincidental):

    104.40.155.10:443  196.168.0.1:44301
    104.40.155.11:443  196.168.0.1:44302
    104.40.155.10:25  196.168.0.2:25
    104.40.155.11:25  196.168.0.2:25

    Sure. Port forwards.

    In this example the 196.168.0.1 runs an HTTPS web server that serves two different non-SNI websites that are accessible on the two different IP addresses on the wan, but on two different port numbers on the same IP on the LAN. At the same time SMTP traffic on any of the WAN IPs is routed to the one other server on the LAN.

    What is the best way to make something like this working? I was thinking Virtual IPs and Manual Outbound NAT…

    Is the port 25, SMTP, example possible at all with pFsense? If not, I can multihome the SMTP server; but I still want to arbitrarily send different WAN IP:Port combinations around the LAN; in other words pFsense 1:1 NAT would not fit the purpose.

    Thanks.

    VIPs and NAT Port forwards. No problem forwarding different combinations of destination addresses/ports to the same address/port on the inside.

    Outbound NAT is used to masquerade outbound connections. You might need something special there for the mail server, but it depends on the actual application. It all depends on the direction of the connection. For instance it would be difficult to treat outbound mail connections from 196.168.0.2 differently. You would have to do something to differentiate them like an IP alias on the host so the source address is different, etc.

    (If 196.168 is a typo on the inside and you mean 192.168, don't use 196.168)