Port Forwarding Working, Port Translation Not

  • Hi guys.  I really tried to do my homework.  I have been through the troubleshooting guides, other posts, and tried this on different installs, but I am stumped.  This is something I used to do with DD-WRT, and I have since tried it on 3 different pf installs (meaning I tried going back to vanilla install to rule out anything else).

    I have a truly public IP on the WAN, and LAN is 10.10.10.X.  Using 2.4.0

    I can successfully port forward 80 at the WAN IP to 80 on an internal IP. 
    I can successfully port forward 443 at the WAN IP to 443 on an internal IP.
    I can successfully port forward 3389 at the WAN IP to 3389 on an internal IP.
    You get the picture.

    Now, I CANNOT ssh to non-standard port and TRANSLATE to standard port inside.  Example: ssh -p 22345 <external ip="">I can SSH successfully to this host from inside the LAN, but not through this translation.  I can even see the systemlog Firewall show a green checkmark, but nothing seems to actually be making it to the server itself.

    Been doing SSH for years.  Nothing is actually reaching the server (when trying to go through the port).  Ironically, I can get shell on pf and ssh just fine using standard port.  The server is running standard port 22.  I was translating fine with a DD-WRT setup prior to putting pf in its place.  As stated above, I can ssh to this server on 22 from inside.  And I could ssh to non-standard port until I switched to pf.

    Here is what I have setup (having gone back and tried different this and thats but none working)
    WAN TCP * * WAN Address  22345  22  ssh-rule
    IPv4 TCP * *  22  * none  ssh-nat

    I would love some help.  I thought maybe there was an extra step since translation was involved, but nothing I have tried makes a difference, and I couldn't find any documentation that suggested it needed anything more.</external>

  • Have I stumped you all?  :)

    I would love some feedback if anybody has some ideas.

  • LAYER 8 Global Moderator

    So your just wanting to hit 22345 on your wan, and then send that to 22 on

    Yeah that should work clickity clickity.. You have validated that 22345 is actually hitting your wan?  Maybe its not allowed out from where your trying to ssh from?  That would explain why your other standard ports work.  Those are allowed out, but this 22345 is blocked?

    did you make sure that 22345 was not locked up in a state already?  After you created your forward on pfsense?

  • So here I am again. Same issue. I am embarrassed to say I don't recall how I fixed this last time.
    Same setup. I have a server with two NICs. One is dedicated to pfsense, and the other is out to the LAN. pfsense is a VM on kvm. It works great as a gateway/firewall. I have working port forwarding on standard non-translated ports. If it comes in 80 for my web, it works. If it comes in rdp, it works. But I want to make SSH use a different port.
    I can SSH to internal server on 22 just fine. I can even SSH from pfsense to the server inside. But going across the port translation it will not work.
    I have done this fine by using a dd-wrt router in place of the pfsense. So I know that the ISP is not blocking ports. It is the introduction of pfsense that breaks a working setup.
    Nothing from above is different. I had to move to a different server chassis since the last one kicked the bucket and 'my backup' file seems to be missing. Shame on me. :)
    Are there other settings that will 'get ya'? I even turned off bogon and private network blocks just in case, no different.

  • In Firewall/NAT, edit or create a rule. For Destination Port Range pick Other and enter 22345, in both the From and To sections.

    Under Redirect Target IP, enter the LAN IP and in Redirect Target Port, pick SSH.

  • Thank you teamits. This is exactly what I have. I couldn't think it could be more straight forward than that. However, it just isnt working.

  • When you created it did you have "NAT reflection" set to use the system default, and "Filter rule association" set to "add associated filter rule"? If you did the latter there will be a "Linked rule" icon on the left side of the NAT rules. If you didn't, you need to add a firewall rule on WAN from * to destination of the LAN IP on destination port 22.

  • And again, the rule was recreated automatically as it should.

    I keep going back to 'there has to be something fundamentally obvious i am forgetting' that will probably be worthy of a face palm when i find it. I really appreciate your help and attention.

    Yesterday I scraped it all, did a factory reset, and rebuilt my settings, including trying a different port. I even removed a digit from 22345 to just 2234, no difference. RDP continues to work,but no port translation, only NAT+port forward.

    I've done this for years. Iptables, dd-wrt, even POS linksys or netgear stuff. Pfsense is the only fw I'm having issues with. Same ISP btw.

  • LAYER 8 Netgate


Log in to reply