• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Port forwarding with internal source IP address

Scheduled Pinned Locked Moved NAT
7 Posts 3 Posters 1.5k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • F
    Fabian
    last edited by Jun 16, 2023, 2:21 PM

    Hello,

    my home network doesn't have a static public ip, so i got a cloud server with pfsense installed and static ip. My home server i want to access from outside my home network is connected to the pfsense wia WireGuard. I set up port forwarding from external traffic to the vpn client and all works just fine, but i don't want to have on the home server a wildcard as accepted ip addresses. Since the source ip is a external ip and changing, i can't whitelist that ip.
    So my question is, can i change the source ip thats send to the home server to an internal ip and just whitelist that one?

    Thanks,
    Fabian

    V J 2 Replies Last reply Jun 16, 2023, 2:35 PM Reply Quote 0
    • V
      viragomann @Fabian
      last edited by Jun 16, 2023, 2:35 PM

      @Fabian
      You can replace the source address with the VPN IP in forwarded packets with an outbound NAT rule though (masquerading), but this doesn't make it even saver at all.

      It would be better to filter the traffic on pfSense advisedly.

      F 1 Reply Last reply Jun 20, 2023, 6:22 AM Reply Quote 1
      • J
        johnpoz LAYER 8 Global Moderator @Fabian
        last edited by Jun 18, 2023, 7:27 PM

        @Fabian said in Port forwarding with internal source IP address:

        my home network doesn't have a static public ip

        Is it cgnat? trying to understand what your wanting to do.. Who cares if your public is static or not? if your trying to get to your public IP for a port forward from the public internet.. Just setup a dynamic dns for your public IP - then if it changes the dynamic dns fqdn will point to your new IP.

        Does your isp actually change your IP.. I have the same IP from my isp for years at a time..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        F 1 Reply Last reply Jun 20, 2023, 5:38 AM Reply Quote 0
        • F
          Fabian @johnpoz
          last edited by Jun 20, 2023, 5:38 AM

          @johnpoz
          i'm so sorry my bad, i forgot to mention that my ISP uses cgnat.

          1 Reply Last reply Reply Quote 0
          • F
            Fabian @viragomann
            last edited by Jun 20, 2023, 6:22 AM

            @viragomann said in Port forwarding with internal source IP address:

            outbound NAT rule

            Thank you very much, it worked with an outbound NAT rule. I'm new to pfsense so its a bit hard to understand all right away.

            @viragomann said in Port forwarding with internal source IP address:

            but this doesn't make it even saver at all.

            Yes you're right, do you have any idea how i could filter the traffic and make it more secure?
            I only need port 8123 because i want to access the Home Assistant web interface.

            V 1 Reply Last reply Jun 20, 2023, 7:10 AM Reply Quote 0
            • V
              viragomann @Fabian
              last edited by Jun 20, 2023, 7:10 AM

              @Fabian
              I'd suggest to access it via VPN if you need it only for your own purposes. So you wouldn't need to forward public IPs at all.
              Connect your phone or any device to the VPS via VPN if you're out and so you can access the home assistant with its private IP and the whole connection is within a private / trusted network.

              F 1 Reply Last reply Jun 20, 2023, 10:04 AM Reply Quote 0
              • F
                Fabian @viragomann
                last edited by Jun 20, 2023, 10:04 AM

                @viragomann
                To access it via VPN was my solution before, but then i realised that it is inconvenient to open a vpn connection on my phone 10 times a day. Sure i could stay connected all day long, i'm using WireGuard, but i don't like that either.
                To my knowledge the Home Assistant web interface is pretty secure and i've also enabled 2FA, but there is always a risk in making a web interface accessible to everyone.

                1 Reply Last reply Reply Quote 0
                7 out of 7
                • First post
                  7/7
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received