Port forwarding on LAN only



  • Hi,

    I was wondering is it possible to configure firewall according to below scenario ;

    MySQL server works on 192.168.1.101-3306,due to hardware error 192.168.1.101 is down,there is a backup mirror on 192.168.1.108,firewall or gateway should be set as forward 192.168.1.101-3306 requests to 192.168.1.108-3306 on LAN.

    I've tried on firewall (2.4.1-RELEASE (amd64) ) but my attemps failed.



  • Traffic on the same subnet doesn't hit the firewall.  Your LAN clients are talking directly to your SQL server.  pfSense isn't involved at all.



  • @KOM:

    Traffic on the same subnet doesn't hit the firewall.  Your LAN clients are talking directly to your SQL server.  pfSense isn't involved at all.

    Oh i see, i thought pfsense handling all LAN traffic as gateway,without MySQL's High Availability it's not possible to do with pfsense huh ?


  • LAYER 8 Netgate

    Put the mysql server on a different subnet from the clients and port forward it to your heart's desire. The port forward rule would go on the interface(s) the clients are on.

    Anything accomplishing the same with the server on the same subnet as the clients is an ugly hack.

    1. Create a Virtual IP address on the LAN interface for 192.168.1.101/24

    2. Place a port forward on LAN forwarding 192.168.1.101:3306 to 192.168.1.108:3306

    3. Be sure firewall rules on LAN will pass the traffic from LAN to LAN (the probably already will)

    4. Check the Static route filtering - Bypass firewall rules for traffic on the same interface in System > General, Firewall & NAT

    5. Cross your fingers and ping-pong the traffic around



  • i thought pfsense handling all LAN traffic as gateway

    Traffic that is non-local gets directed to the gateway.  Think of it this way:  If you want to talk to someone in your company, you just go talk to them directly.  If you want to talk to someone at a different company, you need to call them on the phone and go through reception first or go to their building and get past security.


Log in to reply