Need help with port forward



  • I just upgraded to 1.2.2 and I was previously able to configure pfsense 1.2.1 to port forward specific ports to specific ip addresses and not fully open these ports to all computers on my lan. What i would like to do is have say port 1234 only forwarded to say 192.168.1.5 and no other lan addresses. I used the shields-up website to test the firewall after initial configuration and it reported that all my port forwards were open to any lan computer i tested.

    Am I forgetting something in the setup?



  • That's kind of impossible.
    You cannot forward the same port to multiple devices in an NATed setup.

    Are you sure your test isnt flawed?
    Could you elaborate what your rules are? (screenshots of firewall-rules, and nat-rules) and also a description how your test works would be great :)



  • The shields up test is just testing connectivity to your public IP, it's not telling you that it's accessible to that particular internal computer you're running it from. It's impossible to open a port to multiple inside machines. The host you're running the test from isn't relevant for that test.



  • I probably wasn't too clear. I can successfully port forward to any lan ip and it works perfect, but my issue is that from a computer on my lan that has no port forward directed to it, it shows open ports (the same ports from any port forward rules I set up using these steps http://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense%3F) when scanned by a port scanner from the wan side (i.e. shields up website). I now realize that the port scan must be showing the open port on the router and not the actual computer used for the test. I have a dlink DGL-4300 that I can configure with a port forward setup that is identical to the pfsense setup and I can perform the exact port scan test and show no open/closed ports on the test computer. So does this mean that the dlink must handle NAT differently?

    I will admit that i'm a novice with pfsense and maybe I shouldn't expect it to work exactly like the dlink router.
    Is there a way to configure a port forward that will be handled like the dlink router i have? I thought that my previous install of pfsense 1.2.1 worked the way the dlink will using static port setup in AON.



  • The DLink will work precisely the same way, it's testing connectivity to your WAN IP, which will be the same from any computer inside your network. The remote site doesn't know or care what PC you're initiating the test from. The connectivity will only be to the internal host you have specified in the port forward, it's impossible to open the same port to multiple hosts with a single public IP.



  • May be you just turn off your 192.168.1.5 when testing from other computers…
    WAN testing connects to external interface... Look to WAN Firewall rules...
    when you PortForward something pfSense also makes the rule to pass this connection...
    so when WAN scan connects - it try to connect to your 192.168.1.5 when it works
    and reports 'Port Open' .
    Am I right? helpful??



  • Does anybody know how pfsense handles port address translation? I think this may be the difference between the dlink i have and pfsense.
    I have reason to believe this because I guess that when I test from the Shields Up website and use the option "User Specified Custom Port Probe" I'm beginning the tcp transaction and the NAT transaction between the two platforms must be implemented differently. Just to clarify I'm not bashing pfsense but I'm just curious as to how these two differ. :)



  • They don't differ. They're doing exactly the same thing, and what you're describing different between the two can't happen.


Locked