Internal port forwarding



  • I have a web server that needs to run on port 81.  Its internal IP is 192.168.0.201. Externally it is 64.196.10.148. I set up a NAT rule to forward 64.196.10.148:80 to 192.168.0.201:81. I can access the web server externally but I can't access it internally using its domain name. Obviously I can access it using the internal IP and port but I would like other hosts on my internal network to access using its domain name. How do I go about doing this. I'm sure its possible but I don't see a clear way. I could just add a record to my DNS server but that doesn't solve the port forwarding from 80 to 81.  ???



  • Well, that's a bummer.  NAT reflection would normally be used, but that won't work (AFAIK) with a different port number.  The other possibility is split DNS, but that doesn't either.  Why does it need to be port 81?



  • NAT reflection does work with the port number being different.



  • Ah, my mistake.  I didn't think that was the case.  Learn something new every day :)



  • I tried enabling it but still no luck. Is there more to it? All I did was uncheck the disable option in the advanced system setup. Do I have to add another rule in addition to my 64.196.10.148:80 -> 192.168.0.201:81 rule?



  • Did you check the box to allow the access rule to be created?  Also, you didn't answer why it needs to be port 81?



  • Do you have a DNS override pointing to 192.168.0.201 that you added and forgot to remove after enabling NAT reflection?



  • I'm assuming that your box serving web feeds on port 81 can't also serve the same on port 80.

    I don't see a good pfsense answer until the 'port forward' rules expand to allow matching particular destination addresses.    It is possible to do this today if you are willing to edit /etc/inc/filter.inc to add a rule.

    If hacking in a rule is problematic, it might be easier to choose some third box on your lan that isn't currently involved in serving port 80 or 81.  Then set it up as a 'single function' router that forwards port 80 incoming requests to your actual local port 81 web server.  Then, set up the dns to point to the new third internal box.  It's 'winning ugly', but will get you by until pfsense offers finer control over forwarding.

    There's $0.02 worth for Sunday afternoon.


Log in to reply