• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Port forwarding from external IP to another external IP

Scheduled Pinned Locked Moved NAT
14 Posts 4 Posters 7.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • R
    ronniesmonasoutlook.com
    last edited by Apr 17, 2017, 8:05 PM

    Hi,

    I'm not sure if this topic should be in Multi WAN or NAV so I'm posting it here..

    Hi,

    I'm new to PFSense and not sure if this can be done. I have seen some 2+ years old posts related to this topic but no solution is mentioned. Here's my situation.

    I have pfsense instance with 1 NIC with let's say Public IP is 1.1.1.1

    I have a web server instance that not on local network and hosted somewhere else with public IP 2.2.2.2

    VPN is not an option on these IPs. I'm trying to configure pfsense so all traffic arriving on ports (80,443,20,21,22) on IP 1.1.1.1 is forwarded to 2.2.2.2 on the same ports.

    I am able to do it with SOCAT utility using the following command

    socat TCP-LISTEN:80,fork TCP:2.2.2.2:80

    but it's a small utility and no proper deamon/service is available for it. The only other option is IPTable  but I really like pfsense GUI and I can use it for VPN as well.

    Can someone please help?

    1 Reply Last reply Reply Quote 0
    • I
      isolatedvirus
      last edited by Apr 19, 2017, 3:28 PM

      PFSense gui would allow this on a port forward. You'lll need to set a rule for EVERY port you wish to forward.

      Go to NAT>Port Forward

      Set destination IP (1.1.1.1), destination port, redirect target ip (2.2.2.2), redirect target port.

      1 Reply Last reply Reply Quote 0
      • J
        johnpoz LAYER 8 Global Moderator
        last edited by Apr 19, 2017, 3:50 PM

        Why would you not just go to 2.2.2.2 directly.. At a loss to why you would want/need to do something like this?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • R
          ronniesmonasoutlook.com
          last edited by Apr 20, 2017, 11:07 PM

          Thanks guys, but I have created NAT and it still does not work. Does this also require other firewall rules or some other specific configuration?

          It seems like a simple port forwarding for port 80 but the browser sits there for a while and then displays page can't be displayed like the site can not be loaded. It works when I go direct.

          Any suggestions?

          1 Reply Last reply Reply Quote 0
          • J
            johnpoz LAYER 8 Global Moderator
            last edited by Apr 21, 2017, 5:23 AM

            "It works when I go direct."

            Which is what you should be doing.. Here is where you have a problem..

            Your client is talking to 1.1.1.1 that is where he sent data..  1.1.1.1 sends this data on to 2.2.2.2 but 2.2.2.2 is going to directly answer the sender.. lets call that 3.3.3.3… Why would 3.3.3.3 accept the answer from 2.2.2.2 when he sent data to 1.1.1.1

            For your thing to work you would have to not just forward the traffic, you would need to source nat it so that 2.2.2.2 sends data back to 1.1.1.1 which sends it back to 3.3.3.3

            In a typical port forward  3.3.3.3 sends to 1.1.1.1 which sends it on to 192.168.1.100, 192.168.1.100 talks back to 3.3.3.3 via 1.1.1.1 so to 3.3.3.3 he is only talking to 1.1.1.1

            For your thing to work all traffic would have to go through 1.1.1.1 even the answer from 2.2.2.2

            It makes no sense to do what your doing.

            If you want users to be redirect to 2.2.2.2 when taking to 1.1.1.1 have 1.1.1.1 on port 80 send them a 301 or 302 in the http request, this tells them hey this site is moved - go talk to the fqdn of what 2.2.2.2 is listening on.  3.3.3.3 would then directly talk to 2.2.2.2

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • D
              Derelict LAYER 8 Netgate
              last edited by Apr 21, 2017, 5:54 AM

              You could maybe do that using OpenVPN with pfSense on both sides. But as far as a hairpin port forward, no.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • I
                isolatedvirus
                last edited by Apr 21, 2017, 6:09 AM

                @Derelict:

                You could maybe do that using OpenVPN with pfSense on both sides. But as far as a hairpin port forward, no.

                I've never seen it done with openvpn, I would definitely enjoy an example, could you PM me the example or post it here if its not too off topic?

                As far as hairpinning, you can absolutely do it. I used to hairpin my VPN connecting for an always on VPN setup, but I've recently changed to just doing host overrides in DNS to make it easier.

                1 Reply Last reply Reply Quote 0
                • D
                  Derelict LAYER 8 Netgate
                  last edited by Apr 21, 2017, 7:01 AM

                  Trouble is the reply traffic.

                  You could have an OpenVPN set up between the sites with the remote public IP address as a remote network. Then port forward the outside:port to that address:port.

                  On the other side you would need to have an assigned interface on the OpenVPN to take advantage ot reply-to so replies would go back through OpenVPN and the states would work.

                  Chances are the forwarded destination is just a port forward anyway so all this forward this wan to that wan is moot anyway. You just need to forward connections into this WAN over OpenVPN to that LAN. OpenVPN works great there with reply-to.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • R
                    ronniesmonasoutlook.com
                    last edited by Apr 21, 2017, 11:59 AM

                    Thanks guys,

                    Just wanted to mention that the reason I'm doing this is to hide the identity of 2.2.2.2 the other IP address on the internet where this site port 80 is hosted.

                    I would like 1.1.1.1 to be the main IP for some of my domains. Unfortunately, VPN is not an option at the moment.

                    Is there any better way of doing it other than port forwarding?

                    I have seen SOCAT linux utility do that before. But it's limited to single port forward on a session. But I have multiple IPs and ports.

                    Ron

                    1 Reply Last reply Reply Quote 0
                    • J
                      johnpoz LAYER 8 Global Moderator
                      last edited by Apr 21, 2017, 12:29 PM

                      Wow you have a public IP on the internet, but you want to hide it from the public internet.. Yet still use it to host stuff??

                      The weirdest tinfoil hat logic I have ever heard ;)

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • I
                        isolatedvirus
                        last edited by Apr 22, 2017, 10:23 PM

                        @Derelict:

                        Trouble is the reply traffic.

                        You could have an OpenVPN set up between the sites with the remote public IP address as a remote network. Then port forward the outside:port to that address:port.

                        On the other side you would need to have an assigned interface on the OpenVPN to take advantage ot reply-to so replies would go back through OpenVPN and the states would work.

                        Chances are the forwarded destination is just a port forward anyway so all this forward this wan to that wan is moot anyway. You just need to forward connections into this WAN over OpenVPN to that LAN. OpenVPN works great there with reply-to.

                        outbound NAT solves the reply traffic issue youre speaking of.

                        firewall rule: allow inbound port 80 to dest host 2.2.2.2
                        port forward rule: port forward ANY source going to destination WAN IP destination port 80 to host 2.2.2.2 port 80
                        outbound NAT: WAN interface, nat source ANY destination 2.2.2.2 to WAN IP.

                        1 Reply Last reply Reply Quote 1
                        • D
                          Derelict LAYER 8 Netgate
                          last edited by Apr 23, 2017, 1:03 AM

                          Port forwarding in and out the same interface is hokey, at best.

                          Also lost is the source address of the end user at the destination site.

                          Might not matter to OP.

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • J
                            johnpoz LAYER 8 Global Moderator
                            last edited by Apr 23, 2017, 9:36 AM

                            Can you say hairpin, can you say /2 bandwidth, can you say pointless in such a scenario..  Because he wants to hide his public IP?? WTF???

                            Why not just host what ever he is doing at IP 1.1.1.1?? Use less bandwidth this way.. Clients get better response, No hokey/borked setup and they don't know about IP 2.2.2.2 ;) which seems is the goal.

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • I
                              isolatedvirus
                              last edited by Apr 24, 2017, 4:25 AM

                              Update:

                              This has been solved and can be closed.

                              @johnpoz:

                              Can you say hairpin, can you say /2 bandwidth, can you say pointless in such a scenario..  Because he wants to hide his public IP?? WTF???

                              Why not just host what ever he is doing at IP 1.1.1.1?? Use less bandwidth this way.. Clients get better response, No hokey/borked setup and they don't know about IP 2.2.2.2 ;) which seems is the goal.

                              Yes, this would be a hairpin. It would half the throughput, but the load on said link is negligible. I really don't feel like arguing semantics, so im just going to leave it at hairpinning works just fine in pfsense.

                              He's unable to host locally, and the ultimate goal was to allow web servers to be dynamically provisioned and accessed without requiring constant DNS changes.

                              While it's possible to nat the traffic, there were other constraints that would not be met doing this method. The answer was setting up a reverse proxy, which also adds the benefit of acting as an accelerator.

                              1 Reply Last reply Reply Quote 0
                              1 out of 14
                              • First post
                                1/14
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                This community forum collects and processes your personal information.
                                consent.not_received