Redirect to specific host according to port

  • Good morning pfSense community,

    It's my first post here, I'm a pfSense novice so sorry I couldn't find a post that matches what I was looking for. Maybe I was looking for with wrong terms in Search field.

    I did install pfSense and my virtual machines are succesfully passing through it to have internet access. The portal works perfectly and I could also create rules to test on my lab environment.

    What I'm trying to achieve is:

    • Whenever someone outside my network wants to access my machines via RDP, it must specify the hostname and port. Ex: SERVER01:3389
    • If a different port is specified, it goes to the respective host. Ex: SERVER01:3390 points to SERVER02:3389

    How do I achieve this? Via DNS Resolver? I tried HAProxy, but couldn't accomplish it.

    THank you very much!

  • NAT / port forwarding is your answer.

    You would need to port forward port X to SERVER01:3389, port Y to SERVER02:3389

    In their RDP connection they'd need to put your WAN-IP:X or Y in the computer logon details.

    NAT makes the decision on dst IP and port, hence two different ports hitting the WAN interface.

    TBH you'd be better setting up a VPN server on your WAN router, so they could connect via VPN then just connect to the server.

  • Hi NogBadTheBad,

    Thanks for the answer, I could accomplish this RDP solution for both servers using different ports and it went smoothly.
    Both servers do deliver a website using ports 80 and 443 but only one of them are serving.

    What I did try:

    • A new forwarding port rule from 5443 to 5443 that uses https to serve the site from SERVER01.
    • A new forwarding port rule from 443 to  443 that uses https to serve the site from SERVER02

    Each one has their own specific rule to forward the same way I did to RDP tests. But only SERVER02 works properly.
    Is there something else I must do?


  • Try creating a NAT that states
    From anywhere (really you should limit this if you can and not leave it open to the world)
    From any port
    Destined for your WAN IP
    Destined at the port you want people to use (ie 5443)
    Redirect Target IP is the IP of the internal server
    Redirect Target port is the port to access on the internal server.

    If you leave the ports as default on your servers inside the network and just let NAT do the translation things are easier.
    Make sure to access similar to https://wan.ip.addr:5443 from outside the network.  Inside the network it would be https://lan.ip.addr

  • Thank you very much Stewart! This topic is now solved! :)

Log in to reply