Non-NAT port redirection



  • Is it possible to do non-NAT port redirection? Say I have a node on my LAN, 192.168.0.5, and a node on my OPT1, 10.0.0.10. The 192.168.0.5 is running a server on port 80. I want 10.0.0.10 to be able to connect to 192.168.0.5 on port 8080 (not 80) but then have pfSense redirect the port to the proper 80? Is there a way to have pfSense translate this port to 80 for me without changing any source or destination addressing (e.g. the 192.168.0.5 node will see a source address of 10.0.0.10).


  • LAYER 8 Netgate

    Yes. A port forward on your OPT1 interface.

    Note that port forwards map destination addresses/ports, not source addresses/ports.

    Try a rule like this:

    ![Screen Shot 2016-08-10 at 11.18.24 PM.png](/public/imported_attachments/1/Screen Shot 2016-08-10 at 11.18.24 PM.png)
    ![Screen Shot 2016-08-10 at 11.18.24 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-08-10 at 11.18.24 PM.png_thumb)


  • LAYER 8 Global Moderator

    What is the use case of this??  Why would you not just run http on 192.168.0.5 on both 80 and 8080 if you want to connect to it on 8080?

    While sure stuff like that can be done, the why is the question..  Make no sense to do that - why not just access it on standard port 80.. If you want to use 8080 then run on that or run on both, etc..



  • I need to do something similar to this, but with NAT…  the reason I am replying to this thread is because I have tried the standard way to do redirection and it doesn't work as I expected.

    First, use case...  Some Ph.D is convinced that changing the inbound port to his SSH server from 22 to some random high number will provide him more security and no matter what you tell him he still believes it.  Therefore, since he gripes if he can access the server on port 22 (which he checks), you have to configure the "super-secret" high port on the firewall.  Stupid, I know.

    This was easy on my previous firewall (Dell Sonicwall) - firewall rules let me redirect ports directly in the rule.  In pfSense, if I create a port forward for the "super-secret" port, the firewall still has to create a rule to allow the standard port through, otherwise the "super-secret" port doesn't work either.  Is there some option I am missing to make this work?  Allow SSH through the "super-secret" port then redirect it to the standard port once it traverses the firewall.

    Again, stupid, but must be done.


  • LAYER 8 Netgate

    Firewall rules are checked after NAT happens so if you want outside SSH connections listening on say, WAN Address:8022 and the SSH server is on 192.168.0.1:22, then that's what you do. Yes, the firewall rule will be for 192.168.0.1:22 but on the outside (which is all any sane person would care about) it will be WAN address:8022.

    He should be using a VPN for that instead of a port forward anyway.



  • Agree with all of that.  I just have to put on this security theater for him.  I may retry convincing him that port obfuscation is useless.

    I may just have this set up wrong… but when I set this up, I could also get to the SSH server via port 22, in addition to the high port.  I'll go back and review my rules before posting again.

    We just brought our pfSense boxes into production this week, so I am still learning the ins and outs.

    Thanks!


  • LAYER 8 Netgate

    Yeah. You did something extra if you could also get at port 22 from the outside.

    If you have a port forward for WAN_address:22 to 192.168.1.100:22 and a port forward for WAN_address:8022 to 192.168.1.100:22 a single firewall rule on WAN with a destination of 192.168.1.100:22 will pass them both. The "Real" IP address and port of the destination server is what is passed in the firewall rules. All the port forwards that get to to that point are what they are.


  • LAYER 8 Global Moderator

    Security through Obscurity is not Security!

    What it might do is reduce the noise in your log, since you won't see all the bot traffic probing on 22 and trying to if your ssh open with user/password, etc.

    If this guy wants to be secure - I would move him to vpn to be able to ssh in with MFA that makes he jump through like 15 hoops and has 5 seconds to enter his code and then has to ssh from the box you let him into through 2 other boxes inside to get to the box he wants to get to ;)

    Then he will feel secure ;)  And make sure his passwords change every 3 days..  And he has to get a new cert for his vpn connection every other day..


Log in to reply