Port forwarding to multiple clients

denx

Hi. I'm a newbie to networking in general and I've been using pfsense as a learning tool over the last year on my house. Here's my situation: I'm using an old computer as a pfsense box, and I've set up multiple VLAN interfaces for multiple local subnets. When doing port forwarding, pfsense only allows a single target IP to which traffic will be forwarded, but what if you want to forward traffic to a range of clients/IPs? Can that be done without having to set up NAT rules for each client? Keep in mind that I'm trying to forward traffic not from the WAN to my LAN, but between my different LAN subnets.

Thanks!

JKnott

@denx

The only way you can send traffic to multiple computers is with broadcasts or multicasts. Those are one way only. Also broadcasts do not pass through routers and multicasts usually don't. Perhaps you'd better describe what you're trying to do.

denx

@JKnott Hi, thanks. So in my home lab I'm trying stuff I want to do later at my work (I work at a school). We use NetSupport School in my school's computer lab. The NS Student client is installed in the students' computers, and the NS Teacher client installed on the computer reserved for teachers so they can monitor what students are doing. I use the NS Tech client to monitor students and help teachers.

Now in my home lab I set up a couple of different VLANs, one of them is for the Admin subnet (where I can access and monitor my network devices, including my pfsense box), and another is the one I want to assign to the computer lab in the future (so let's call this subnet the Student subnet). Since I'll likely spend the whole day connected to the Admin subnet,, I need my NS Teacher/Tech client on the Admin subnet side to be able to communicate to the NS Student clients on the Student subnet side.

Now this should usually be pretty straightforward (the NetSupport site has clear instructions in how to scan NS clients on other subnets). The thing is, as an added layer of security, I blocked communications between my different subnets through the firewall rules on pfsense. So the only way to allow the NS Teacher/Tech client on the Admin subnet to communicate to the NS Student clients on the Student subnet is by allowing specific traffic through port forwarding.

I've actually been succesful in forwarding NS traffic between the Admin and Student subnets, but like I said the problem is that I have to create a NAT rule for each Student client I want to connect to from the Admin side. I mean I could do that, but it would be tedious and would clutter the firewall rules page, which is why I'm looking for a way to forward NS traffic to all Student clients simultaneously. I tried sending traffic through the broadcast IP and NS multicast IP, but like you suggested it didn't work. I guess I could deactivate the firewall rules that block traffic between my subnets and call it a day, but that wouldn't be any fun.

Hope that explanation makes more sense!

JKnott

@denx

Is that using TCP or UDP? With TCP, you can only talk to one device at a time. UDP can use broadcast or multicast.

denx

@JKnott Sorry for the late reply. NetSupport can use both TCP and UDP. I tried with TCP, UDP and TCP/UDP but it didn't make a difference unfortunately. Pfsense documentation mentions that it might be necessary to set up load balancing for this kind of use case, but that looks kinda intimidating lol.

JKnott

@denx

Sending to multiple IPs has nothing to do with load balancing, at least not in the situation you described. To send something to multiple addresses requires broadcast or multicast and UDP. Since you're passing through a router, you'll have to use multicast and configure pfSense to pass it.

SteveITS

@denx said in Port forwarding to multiple clients:

I blocked communications between my different subnets through the firewall rules on pfsense. So the only way to allow the NS Teacher/Tech client on the Admin subnet to communicate to the NS Student clients on the Student subnet is by allowing specific traffic through port forwarding

That confuses me a bit...port forwarding is normally used with NAT to connect to the WAN IP of a router and have the router forward the packets to the desired LAN IP. Firewall rules block or allow traffic on interfaces but by themselves don't pass traffic from WAN to LAN. Perhaps describe how the Admin and Student subnets are set up, is this all one router and they are both internal/LAN interfaces? Then I would think you could allow the teacher's IP access to the student subnet via firewall rule...?

denx

Figured it out. I created an IP alias that contained the Student IPs I wanted to connect to, and a Port Alias with the different ports that NS uses, then created a NAT rule with those aliases and now things are working perfectly in the Tutor console from the Admin side. Feeling kind of silly that this didn't occur to me earlier lol. The Tech console still presents some weird behavior but I think that's due to the console's settings, so I'll take a look at that.