Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Port forward to internal IP, but only for VPN clients?

    Scheduled Pinned Locked Moved NAT
    4 Posts 3 Posters 402 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      TheWaterbug
      last edited by

      I have a server at 192.168.0.2 running a bug tracker on Apache Tomcat. In days past I'd forwarded incoming HTTPS on mycompany.com:XYZ to 192.168.0.2:XYZ so that we all could get to the bug tracker from outside.

      As it turns out that was a horrible idea, because there were/are security vulnerabilities in my installation that allowed us to get hit by some malware. So I've turned off that port forward rule.

      The problem is that the automated emails we get from the bug tracker are of the form:

      Robert has updated the status of Bug #123. Please review at:

https://mycompany.com:xyz/bugtracker/jsp/edit.jsp?projectId=ACMEDeathRay&entryId=9854

      Is there a way to send that to 192.168.0.2, but only for hosts inside 192.168.0.0/24 or IPSec clients? I see drop-down options under Source: for L2TP clients, but not for IPSec.

      Of course I can change new bug notifications to use 192.168.0.2 in the URL, but I can't change years of history.

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        For internal hosts you can add a DNS override, if using internal DNS, and block traffic from outside.

        But IPSec? The clients may resolve the hostname to the public address. So you may have to route that address over the tunnel to control access on your site. That requires that the address is static.

        1 Reply Last reply Reply Quote 0
        • T
          TheWaterbug
          last edited by

          I don't see any place to have a port-specific DNS over-ride. I don't think I want to override the entire domain, because then other things will break, such as my external access to pfsense.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by johnpoz

            dns is not port specific.

            Internally if you want to post something or read something from mycompany.com doesn't matter what the port is.

            On the outside mycompany.com would resolve to your public IP.. The client or url you use is what would add the :xyz (port)

            So externally you end up hitting https://1.2.3.4:789/blahblah

            Internally it would just resolve to 192.168.0.2, so now your would really be going to https://192.168.0.2:xyz/blahblah

            The dns is just what the fqdn resolves to.. Your client or application or whatever, bookmark, etc. that creates the url would still have its port in it.

            If your vpn client is using your internal dns and resolves mycompany.com to 192.168.0.2 that is where it would go.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.