Use of aliases for port forwarding

lifeboy · Feb 13, 2025, 3:24 AM

I have a setup for a specific service which requires that traffic to a single ip address on different ports be forwarded to different internal addresses on different servers. (Pretty much the point of port-forwarding).

In order to have a neater set up port-forwarding rules, I have created an alias for each group of ports that must be forwarded to a specific LAN address. For example, these ports are for TCP traffic to server 1.

I have an alias for all the UDP ports and similarly for each other server an alias for the TCP and UDP ports.

It looks like this:

My question is: Will this work correctly? In other words, will the alias work in such a way, that traffic for instance to port 443 will be forwarded to port 443, and so for the other ports?

I'm asking because when we switched to this setup this morning, despite resetting the fireall states, some traffic wasn't flowing. So I created individual rules for each port and about 30 minutes later things seemed to be working. I'm not sure it's the rules that causes this or if it was something else.

SteveITS · Feb 13, 2025, 3:36 AM

@lifeboy per https://docs.netgate.com/pfsense/en/latest/nat/port-forwards.html#port-forward-settings aliases are allowed as long as it’s the same alias.

lifeboy · Feb 13, 2025, 4:02 AM

@SteveITS So I want to be really clear on this: The fact that I have bundled lots of ports together in an alias is fine, as long as I use the same alias in the destination and redirect spec? Like this:

Bob.Dig · Feb 13, 2025, 10:39 AM

@lifeboy According to the docs, it should work. But would I count on it, I don't. And the alias for the host is just one single machine? If that is true, it could be a bug, according to the docs...

lifeboy · Feb 13, 2025, 1:11 PM

@Bob-Dig Yes, the Alias for the host "Hytera3_POC" is a single host with multiple services, each on a different port.

There are 4 different hosts like this and they all work ito port forwarding, except the one that may have had some issues. However, it seems as if the problem only occurs one one type of client device (that consumes these services), so the port forwarding seems not the be a problem.

SteveITS · Feb 13, 2025, 1:11 PM

@lifeboy I was set to say “no” above but the docs allow it. I’ve rarely had the occasion to try.

Good find that your issue is tied to the client type. Though, hard to see how. Smells more like a routing or software firewall problem, that’s in the connection path.

lifeboy · Feb 19, 2025, 1:34 PM

@SteveITS What I meant by "one type of client device" is the following:

The customer has a number of application servers that provide a whole range of services. Their clients have devices that connect to their services. They recently updated their servers to a new major release and it seems the problem is that some clients, running an older version of the client software, were having trouble connecting to the new servers, which it turns out has nothing to do with the port forwarding at all.