Port forwarding from a specific source
I run a few services for some friends, and as a result I have some weird port forwarding needs. I had the following set up under openbsd, and pfsense doesn't seem to want to do it.
The following is my normal HTTPS and SSH forwarding:
rdr on vr0 inet proto tcp from any to $ext_if port = https -> 192.168.2.3
rdr on vr0 inet proto tcp from any to $ext_if port = ssh -> 192.168.2.3
and I need to insert this:
rdr on vr0 inet proto tcp from $friend_ip to $ext_if port =https -> 192.168.2.3 port 22
His IP is static, and basically he needs to SSH in over port 443 to get through a draconian firewall. So I redirect traffic from his IP destined for port 443 to a device behind the firewall at port 22. There doesn't seem to be a mechanism to allow for specifying source address in port forwarding.
When setting up the forwarding rule click on the advanced button for source and destination. This should like correct the issue. I have redirected the rdp from 3389 to example 10000 with a rule. It should work for you.
I'm afraid what I want to do is a little most specific though. Lets say you already had all traffic on external port 3389 forwarded to port 10000 on host 192.168.2.3. Let's say you also had all traffic on external port 443 forwarded to port 443 on host 192.168.2.3. What I'd want to do at this point is forward all traffic from only host_a on port 443 to port 10000 on host 192.168.2.3.
PF can handle this, since it evaluates NAT rules from the top down, stopping at whichever the first matching rule is (in contrast to rule evaluation, where the last matching rule wins). So there's no chance of a conflict between the "all traffic" rule and the host-specific rule. As with many things PF, you just had to be careful about the order of things. But then if you've ever dealt with any kind of ACL, that's just how they roll.
Anyways, I know this is a kind of specific request, but it's one of two things keeping me from all-out switching to pfsense from openbsd. I'm so used to having ridiculously fine control of PF, it's hard to give up. Even with how sexy pfsense is.