Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Arbitrary port forwarding between WAN and LAN subnets

    Scheduled Pinned Locked Moved NAT
    2 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      G.D. Wusser Esq.
      last edited by

      Quick question: can pfSense do this, and what is the best strategy for configuring something like that?

      Say, I have a whole public IPv4 subnet (with more than one usable IP) on the WAN interface. And I want to arbitrarily route different WAN IP and port combinations to different LAN IP and port combinations. So, a few simplified examples would be like follows (IP addresses are used for illustration only and any matches with real IP addresses are coincidental):

      104.40.155.10:443  196.168.0.1:44301
      104.40.155.11:443  196.168.0.1:44302
      104.40.155.10:25  196.168.0.2:25
      104.40.155.11:25  196.168.0.2:25

      In this example the 196.168.0.1 runs an HTTPS web server that serves two different non-SNI websites that are accessible on the two different IP addresses on the wan, but on two different port numbers on the same IP on the LAN. At the same time SMTP traffic on any of the WAN IPs is routed to the one other server on the LAN.

      What is the best way to make something like this working? I was thinking Virtual IPs and Manual Outbound NAT…

      Is the port 25, SMTP, example possible at all with pFsense? If not, I can multihome the SMTP server; but I still want to arbitrarily send different WAN IP:Port combinations around the LAN; in other words pFsense 1:1 NAT would not fit the purpose.

      Thanks.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        @G.D.:

        Quick question: can pfSense do this, and what is the best strategy for configuring something like that?

        Say, I have a whole public IPv4 subnet (with more than one usable IP) on the WAN interface. And I want to arbitrarily route different WAN IP and port combinations to different LAN IP and port combinations. So, a few simplified examples would be like follows (IP addresses are used for illustration only and any matches with real IP addresses are coincidental):

        104.40.155.10:443  196.168.0.1:44301
        104.40.155.11:443  196.168.0.1:44302
        104.40.155.10:25  196.168.0.2:25
        104.40.155.11:25  196.168.0.2:25

        Sure. Port forwards.

        In this example the 196.168.0.1 runs an HTTPS web server that serves two different non-SNI websites that are accessible on the two different IP addresses on the wan, but on two different port numbers on the same IP on the LAN. At the same time SMTP traffic on any of the WAN IPs is routed to the one other server on the LAN.

        What is the best way to make something like this working? I was thinking Virtual IPs and Manual Outbound NAT…

        Is the port 25, SMTP, example possible at all with pFsense? If not, I can multihome the SMTP server; but I still want to arbitrarily send different WAN IP:Port combinations around the LAN; in other words pFsense 1:1 NAT would not fit the purpose.

        Thanks.

        VIPs and NAT Port forwards. No problem forwarding different combinations of destination addresses/ports to the same address/port on the inside.

        Outbound NAT is used to masquerade outbound connections. You might need something special there for the mail server, but it depends on the actual application. It all depends on the direction of the connection. For instance it would be difficult to treat outbound mail connections from 196.168.0.2 differently. You would have to do something to differentiate them like an IP alias on the host so the source address is different, etc.

        (If 196.168 is a typo on the inside and you mean 192.168, don't use 196.168)

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.