Same Ports, Different Inbound IP: How Can pfSense Know which LAN IP to forward to?



  • This post is deleted!


  • Two containers,
    A with IP 192.168.1.10,
    B with IP 192.168.1.20,
    have to listen on the same port: 9000. This port is used for inbound or outbound.

    Container A uses the default outbound IP: 200.100.50.10
    Container B has an outbound NAT rule to use 200.100.50.20 when the source port is 9000 (it is :9000 to :9000 on both sides)

    Both containers have port forward rules setup for 9000 to their respective LAN IPs (static ports)

    Naturally, the auto created firewall rule (from the NAT rule) is identical, with the exception of the destination IP, which is (of course) the LAN IP of A and B.

    Container A works fine, but B doesn't. How does pfsense know that when a new connection comes in on 200.100.50.10 the 9000 is for container A and when it comes in on 200.100.50.20 the 9000 is for container B? Am I right to guess that I cannot use auto create firewall rules from NAT rules in this scenario? Or do i have to turn off static ports (in which case I am discovering they can be used for other purposes besides security ?

    PS: to further complicate things, the set of IPs my two boxes must talk to overlap. But this might deserve a separate topic. I am just trying to figure out the question in bold for now.


  • LAYER 8 Netgate

    In the port forward, set the address receiving the connections from the outside here:

    Screen Shot 2019-08-07 at 12.01.08 AM.png



  • It works now. I changed the VIP to type "alias", used a port fwd rule with auto FW rule creation, and created an outbound rule.

    Thanks again!


Log in to reply