Outbound Nat - redirect website from one IP to another IP

  • Hello everyone,

    Ive decided to migrate our company routers from Debian machine to pfSense machine.
    This is my firts time touching pfSense and I had a little troubles, but mostly Ive managed to set up everything, but with one think Ive still have a problem.

    On old router, Ive got a rule:

    iptables -t nat -I PREROUTING 3 -d xxx.xxx.xxx.xxx/27 -j DNAT –to-destination yyy.yyy.yyy.yyy -m comment --comment "DNAT for staging on f1"

    why we need it.
    if somebody is connecting to www.mycompany.com site from inside our network connection should go through yyy address not xxx. This shows us different version of our website inside our office than outside

    Host in DNS is not an answer. why? Because we have 2 seperate networks for workers and public. Some of our workers change network between those, because they need to see office version of website and "for the rest of the world" version. When we do it through DNS sometimes computer or web browser do not refresh its DNS and its remember old one for this host.

    Ive tried to do it in Firewall > NAT >Outbound


    but only thing that I achieved was that when I was trying to connect to www.mycompany.com i was getting time out, so something was happening. :D

  • The pfSense outbound NAT only does SNAT, but you need DNAT.
    So you have to set a NAT > Port forward rule.
    Just add a new rule, select the appropriate interface where the source computers are attached to and enter the origin destination IP and port and the redirect target address and port.

  • ok, I've erased old one from outbound and created a new one in the port forward like on the screen below

    and still, I`m getting Time Out

    When I change Interface to Public (for now it's where I am testing it) still the same
    when Interface is left on WAN and source is chosen "Public Net" or "Public Addresses" site is loading but outside company version (like there was no forward)
    but when I choose "Network" and type in Address and Mask the same that I use on Public Interface I am getting Time Out

    Am I still missing something or doing some really dumb mistake?

  • OK! I've found the case.

    The problem was causing port range. When was it set from http to https there was a Time Out when I changed it to be only https it started to work.

    Thank you viragomann, for help and explaining exactly port forwarding and outbound in pfsense. Cheers ;)

  • If you set the port range from HTTP to HTTPS, it means all port from 80 to 443. In this case you have to set the redirect target port to HTTP. But that would not be what you intend.

    For your purpose you should add an port alias for HTTP and HTTPS and use this one in the rule. Firewall > Aliases > Ports
    Give it a name like "HTTP_HTTPS" and add the ports 80 and 443. Then you can use this alias name as custom option at Destination port and Redirect target port.

Log in to reply