Forward specific external IP to Internal IP.



  • Hi,

    I think I may me doing something stupid here. I am trying to map specific external IP address to differnet internal server but do not see the option..

    IE - I want to map RDP traffic 87.134.100.89 to 192.168.1.1 and all RDP traffic from 60.240.130.99 to 192.168.1.2

    Is this possible. I have done this on other boxes but not the PF..

    J



  • ~~This is currently not implemented in the WebGUI.

    I think there was somewhere a thread how you could hack that manually into the pf-config file, but i dont remember where…~~

    I thought this was about source-dependant selection of a different server.
    Ignore the above ^^"


  • Rebel Alliance Developer Netgate

    It should be possible with normal port forwards, if I'm reading the question properly.

    Just add a Virtual IP address for your additional IPs, and then they will be available under the "External Address" drop-down when making a port forward.

    Pick the external IP, the port(s) for RDP, then type in the internal IP and port you want to go with it, and check the box to add the firwall rule. Should be pretty straightforward.



  • You can do this by making 1:1 mappings. First, go to Firewall, Virtual IPs and make a CARP entry for each external IP you have.

    Like this:

    Type: CARP
    Interface: WAN
    IP Addresse(s): Address: [your external IP here] / 32 (/32=one address)
    Virtual IP Password: just make something up here
    VHID Group: make something up. I use a unique group for all my addresses. Not sure what this does but how I do it, it works for me :)
    Advertising Frequency: 0
    Description: not parsed, enter a sensible description here

    Then go to Firewall, NAT, 1:1
    Make a new entry. Interface: WAN
    External Subnet: [your external IP address here] / 32
    Internal Subnet: 192.168.1.1 (your internal machine)
    Description: some description

    Then enter a firewall rule to allow RDP traffic from the external address to internal:
    Firewall, Rules (not NAT!), WAN
    Enter your allow-rule here.

    Good luck :)

    /edit
    jimp is also right, you can use NAT to map an external IP different than the external IP of the pfSense box. I did it the way I did because I wanted the external machines to have the complete IP address, so they would be pingable from outside.


  • Rebel Alliance Developer Netgate

    @Vorkbaard:

    You can do this by making 1:1 mappings. First, go to Firewall, Virtual IPs and make a CARP entry for each external IP you have.

    This should work with any type of VIP, not just CARP, and 1:1 isn't really needed either unless you want the outbound traffic from those servers to also appear to originate from the external IPs you are working with.



  • @jimp:

    @Vorkbaard:

    You can do this by making 1:1 mappings. First, go to Firewall, Virtual IPs and make a CARP entry for each external IP you have.

    This should work with any type of VIP, not just CARP, and 1:1 isn't really needed either unless you want the outbound traffic from those servers to also appear to originate from the external IPs you are working with.

    Indeed, I need traffic from those servers to appear to originate from their specific IP's :) Should have mentioned that - it's just how I got it working.



  • Hi All,

    Many thanks for the response.

    I have tried to add the VIP but when I add a CARP address I get the following error.

    Sorry, we could not locate an interface with a matching subnet for 89.xx.1xx.72/32. Please add an ip in this subnet on a real interface.

    Any ideas ?


  • Rebel Alliance Developer Netgate

    CARP VIPs have to be in the same subnet as your WAN. If you have IPs in a different subnet, use Proxy ARP or "Other" type VIPs.



  • I have now added it in as Proxy Arp..

    I have a NAT going from VIP to 192.168.1.2 but still brings me to 192.168.1.1

    I have also tried setting the VIP as other..

    Do I need to restart the PF..


  • Rebel Alliance Developer Netgate

    It might help to see a screen capture of your port forward screen, someone might be able to spot an issue. A screen capture of the port forward editing screen for that rule wouldn't hurt, either.



  • JPEG of screen dump attatched..



  • Rebel Alliance Developer Netgate

    What about the other view? (the list of port forwards)



  • port forward

    ![port forward.JPG](/public/imported_attachments/1/port forward.JPG)
    ![port forward.JPG_thumb](/public/imported_attachments/1/port forward.JPG_thumb)



  • Did you create the according firewall rule?


Log in to reply