Reflection? / Port Forwarding to keep traffic inside office?



  • I have read all through the forums and can't find a solution to my specific problem.

    The title of the post is probably not going to get me much help, as I'm not sure how to explain the setup in 1 line.

    Here is my situation:

    I run an an office and employees come and go all day.
    Their laptops are constantly syncing a large data-set every 15min via rsync to a remote rsync server in the cloud.
    The same data-set exists IN my office on a replica of the rsync server that's in the cloud.

    I would like to redirect traffic to my server in house when a client attempts to connect to the cloud on port 873 (rsync).

    To free up bandwidth in the office, I'd rather have them sync to the office server when in house rather than downloading from the cloud (the data is the same in both places)

    Here's my setup:
    Pfsense with 2 interfaces

    WAN: 99.99.99.99
    LAN: 192.168.9.1/24

    I need to make a rule that when traffic heads out to the internet on port 873 it gets redirected to my in house server 192.168.9.200 on port 873.

    I have tried different rules to no avail, sorta copying off of imspector threads and squid threads as a reference, but it doesn't seem to work.

    Any help would be GREATLY appreciated, I'm about to pull my hair out.  ???



  • You want a port forward, only you select the LAN interface, not WAN as usual.  I think you also want to check the "no NAT" box.



  • I've tried the LAN option, but it wasn't working.

    I don't have an option for "No-Nat"



  • I'm sorry, I think I misspoke.  What you want is not on the port forward page, but the NAT page.  I think you also want to select Advanced Outbound NAT, so that you can move the new rule before the default any rule.



  • What you want is not on the port forward page, but the NAT page.

    Port Forward is a Tab of the NAT page.
    Do I want Port Forward, 1:1, or Outbound?

    I think you also want to select Advanced Outbound NAT, so that you can move the new rule before the default any rule.

    I've found this option, but not sure what "rule" I would be putting before the default.
    It would be nice if you could give an example of what my rule should look like, and on what Tab I would go to create it.

    BTW, I greatly appreciate your help!



  • i think i remember reading in the pfsense book that you cannot use nat to redirect traffic back onto the same interface, so you would have to put the server in a dmz or on an opt interface.

    can you not achieve what you want with split dns?



  • I think that should be able to work, since that is what (AFAIK) NAT reflection does - a packet arrives on LAN interface for WAN of pfsense, and it rdr's it back out the LAN to the real host.  I need to look at this more carefully, I can see it getting to the other host, but not working quite right.



  • Ah, that was my error: I was trying to change the port number too.  For some reason that didn't work.  Once I tried a vanilla service, it works fine.  Click on port forward and a rule like this:

    LAN TCP 873  INTERNALRSYNCIP (ext.: any) 873



  • btw, yes, split dns or nat reflection would be right under other circumstances, but the OP specifically wants to use separate servers.  i guess he could still use split dns.  note: what i suggested is a variation of nat reflection, only based on any dest, not the WAN IP.  you would need to elaborate on the rule so that (i assume) your internal rsync box can talk to the outside one without being nat'ed.



  • LAN    TCP    873    INTERNALRSYNCIP (ext.: any)    873

    This worked perfectly.  ;D

    You don't know how happy I am.  Thank you very much!

    I have another question, same topic.

    Now that all traffic is being reflected back to the server on the LAN, is there a way to allow that server to still communicate with the server in the cloud on port 873  without it creating a loop because of that rule?

    I would still like traffic from 192.168.9.200 port 873 to be able to pass normally to the other server (as they sync nightly).  Right now I need to turn off the rule in order to get 192.168.9.200 to be able to connect to the outside server (as the port forward is rerouting traffic back into the local server creating a loop).

    I am pretty sure rules are applied in the order they are listed, I assume I need a rule in front of the current one that will allow 192.168.9.200 to pass through without being forwarded, not sure how that rule should look.



  • In the source area of your rule you could try ticking the Not checkbox and specify a 'Single Host or Alias' of 192.168.9.200.

    So the the reflection rule will only apply to anything that is NOT 192.168.9.200



  • yes, that is what i was implying with my previous comment about "elaborate on the rule"..  sorry if that was not clear.



  • I'm curious, could you have defined a DNS alias on your network to make the remote server appears to be local? Of course, this doesn't help the local server to reach the remote one.



  • In the source area of your rule you could try ticking the Not checkbox and specify a 'Single Host or Alias' of 192.168.9.200.

    There is not such option on the Port Forward: Edit Screen



  • @haqthat:

    In the source area of your rule you could try ticking the Not checkbox and specify a 'Single Host or Alias' of 192.168.9.200.

    There is not such option on the Port Forward: Edit Screen

    Bump….please help with my last post?



  • You show a screenshot of a firewall rule.
    Gob is talking about NAT rules.

    Are you connecting to the server via an IP or a name?
    If you connect via a name you could simply set up split DNS as described here:
    http://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F



  • I have a feeling you may be out of luck.  I seem to recall wanting to specify more detailed info in the port forward rule and couldn't - it is not an issue with pf, but the gui just doesn't make that available.



  • If you had another network interface, you could connect the server to this other interface and use your port forward rule and it would not apply to the server's outbound connections.

    Hmm, thinking about it, there are multiple things that aren't available for port forwards but are available elsewhere that could be useful.  Options like source address or schedules could be potential solutions in this scenario if they could be used on port forwards.  It seems like the available options may have been decided mainly based on how it would be used on the WAN interface, though.  It probably is very uncommon to be forwarding to a different internal address based on the source address from the internet.  As far as schedules, the firewall rule can block connections that would go to the port forward on WAN during the scheduled period, so it probably wasn't considered that people might want to have schedules for the port forward rules themselves.


Locked