Port forwarding with internal source IP address
-
Hello,
my home network doesn't have a static public ip, so i got a cloud server with pfsense installed and static ip. My home server i want to access from outside my home network is connected to the pfsense wia WireGuard. I set up port forwarding from external traffic to the vpn client and all works just fine, but i don't want to have on the home server a wildcard as accepted ip addresses. Since the source ip is a external ip and changing, i can't whitelist that ip.
So my question is, can i change the source ip thats send to the home server to an internal ip and just whitelist that one?Thanks,
Fabian -
@Fabian
You can replace the source address with the VPN IP in forwarded packets with an outbound NAT rule though (masquerading), but this doesn't make it even saver at all.It would be better to filter the traffic on pfSense advisedly.
-
@Fabian said in Port forwarding with internal source IP address:
my home network doesn't have a static public ip
Is it cgnat? trying to understand what your wanting to do.. Who cares if your public is static or not? if your trying to get to your public IP for a port forward from the public internet.. Just setup a dynamic dns for your public IP - then if it changes the dynamic dns fqdn will point to your new IP.
Does your isp actually change your IP.. I have the same IP from my isp for years at a time..
-
@johnpoz
i'm so sorry my bad, i forgot to mention that my ISP uses cgnat. -
@viragomann said in Port forwarding with internal source IP address:
outbound NAT rule
Thank you very much, it worked with an outbound NAT rule. I'm new to pfsense so its a bit hard to understand all right away.
@viragomann said in Port forwarding with internal source IP address:
but this doesn't make it even saver at all.
Yes you're right, do you have any idea how i could filter the traffic and make it more secure?
I only need port 8123 because i want to access the Home Assistant web interface. -
@Fabian
I'd suggest to access it via VPN if you need it only for your own purposes. So you wouldn't need to forward public IPs at all.
Connect your phone or any device to the VPS via VPN if you're out and so you can access the home assistant with its private IP and the whole connection is within a private / trusted network. -
@viragomann
To access it via VPN was my solution before, but then i realised that it is inconvenient to open a vpn connection on my phone 10 times a day. Sure i could stay connected all day long, i'm using WireGuard, but i don't like that either.
To my knowledge the Home Assistant web interface is pretty secure and i've also enabled 2FA, but there is always a risk in making a web interface accessible to everyone.
