Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help with local port forwarding

    Scheduled Pinned Locked Moved General pfSense Questions
    14 Posts 4 Posters 1.8k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S Online
      stephenw10 Netgate Administrator
      last edited by

      But 'LAN address' is the IP of the pfSense LAN interface. No traffic is ever going to come from there into the LAN. It can never match anything.
      You probably want 'LAN network' there.

      That shouldn't ever match the Truenas address because I assume that cannot be in the LAN subnet. That portforward can never work if it is.

      Steve

      M 1 Reply Last reply Reply Quote 0
      • M Offline
        menethoran @stephenw10
        last edited by

        @stephenw10 switched source to 192.168.0.0/17 (i THINK thats the correct subnet to include all 192.168.X.X)

        johnpozJ 1 Reply Last reply Reply Quote 0
        • stephenw10S Online
          stephenw10 Netgate Administrator
          last edited by

          It would be /16 but that's probably not necessary. The port forward is on the LAN interface so the only traffic that can hit it will be from the LAN subnet or other subnets routed via some gateway on it (which you probably don't have).

          Steve

          M 1 Reply Last reply Reply Quote 0
          • M Offline
            menethoran @stephenw10
            last edited by

            @stephenw10 i have 2 networks (IoT and Home). IoT exist on 192.168.2.X-192.168.3.X, Home exists on 192.168.1.X. I want all local traffic trying to reach 192.168.1.1:443 (or more specifically, https://pfsense.home resolves to 192.168.1.1:444, it currently resolves to 192.168.1.1:443. 192.168.1.1 = PfSense, port 444 = port 443, but changed because of security?... (same with another service. though, ultimately, i dont really care if PFSense resolves straight to 443 and i just set the access port back to 443, BUT, i need to know that the 443 to 444 redirect works correctly, as another item on the network needs that to happen (ie, its access is on 444 becasue it cant exist on 443 because another servie monitors that port)

            johnpozJ 1 Reply Last reply Reply Quote 0
            • johnpozJ Online
              johnpoz LAYER 8 Global Moderator @menethoran
              last edited by

              @menethoran and why would say 192.168.X.X/17 or /16 send traffic to pfsense if its trying to go to 192.168.1.1 or 192.168.2.2 ?

              Not sure what you hoping to accomplish here?

              If your devices on 192.168.2.2 and 1.1 listen on 444, then talk to them on 444

              Why are you having them listen on 444 if you want devices to use 443 to talk to them?

              What exactly are you wanting to happen, and we can either go over why that something doesn't make any sense, or how to do it. From what you have posted so far it doesn't make any sense.

              But the only way a port forward for sending traffic to 444 vs 443, would be if pfsense receive the traffic to route to 2.2 or 1.1 from whatever client is trying to talk to those IPs. But if your devices are on some /16 or /17 network that includes 2.2 or 1.1 they would never send the traffic to pfsene in the first place.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

              1 Reply Last reply Reply Quote 0
              • johnpozJ Online
                johnpoz LAYER 8 Global Moderator @menethoran
                last edited by johnpoz

                @menethoran said in Help with local port forwarding:

                but changed because of security?

                Huh - changing the port, that your going to allow anyway even if using some other port to get there isn't security..

                My pfsense listens on 8443 for access to the gui.. To get to the gui I go to https://sg4860.local.lan:8443, this is pfsense name on my network. I use 443 for openvpn, and also allow for that to be forwarded to another service behind pfsense, etc. So yeah that is why I don't have pfsense gui listen on 443.. Because I want to use 443 for other stuff other than the gui.

                Devices I want to allow, I allow networks or devices I want to allow to talk to 8443.. If I don't then I don't let them talk to that IP:Port

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                M 1 Reply Last reply Reply Quote 0
                • stephenw10S Online
                  stephenw10 Netgate Administrator
                  last edited by

                  I assume then that LAN here is Home?

                  A port forward on LAN should then be:
                  Source: LAN net
                  Destination: LAN address
                  Target: LAN address (though you could also use localhost here for clarity).

                  Steve

                  1 Reply Last reply Reply Quote 0
                  • M Offline
                    menethoran @johnpoz
                    last edited by

                    @johnpoz basically, i want it to function like yours does, except i dont want to have to append the port. as far as pfsense is concerned, as i stated previously, i dont care if i switch that back to 443. it was originally set up to 444 for (iirc) security reasons. as ive now further locked down my network, i am less concerned with the 443 vs 444 on pfsense, HOWEVER, my NAS machine needs the interface to run on port 444 because traefik binds port 443 and port 80 to handle internet traffic. i want to be able to connect to the NAS machine via ssl locally, and to do that, i need pfsense to handle local traffic headed towards the NAS machine to come in on 443, but be forwarded to 444 in between my client and the NAS... i would like all of my connections to be ssl, including my internal stuff as much as i can.

                    johnpozJ 1 Reply Last reply Reply Quote 0
                    • johnpozJ Online
                      johnpoz LAYER 8 Global Moderator @menethoran
                      last edited by

                      @menethoran said in Help with local port forwarding:

                      handle local traffic headed towards the NAS machine to come in on 443

                      Is that traffic pfsense would route? pfsense is not involved in conversations between devices on the same network.

                      If you have this say

                      client lan -- pfsense -- optx -- nas

                      Where client and nas are on 2 different networks you could do with with simple port forward.

                      If nas and client on same network, you could do it with say a haproxy setup, where you hit a port on pfsense, and the proxy sends it to the nas.. I do this for couple of services, since I am having haproxy do the ssl offloading, and the destination services run on odd ports and don't even support ssl, etc.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                      M 1 Reply Last reply Reply Quote 1
                      • M Offline
                        menethoran @johnpoz
                        last edited by

                        @johnpoz oh, thats a FANTASTIC idea, i hadnt thought of using haproxy to do this!

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.