Port Forwarding FROM and TO internal hosts?



  • Hello. I'm struggling for maybe three days to make a internal port forwarding work. My network is 10.250.0.0/24 and one of its internal hosts (10.250.0.9) is a MSN proxy and logger, so i would like to redirect all traffic to 1863/TCP to this host. After creating the forwarding according to pfsense wiki and posts in this forum, i've found out that i'm stuck with two problems:

    1. when creating a port redirection on the internal LAN interface, pfsense also does NAT for all the redirected datagrams using its own internal IP address (10.250.0.2) as the source!

    Obs: i managed to workaround this by creating an outbound nat rule saying that everything FROM the internal subnet TO the internal subnet ON firewall's LAN interface would NOT be NATed. But that does not look like a good solution.

    1. and the biggest problem: i could not find a way to create an exception to the port redirection rule for the internal MSN proxy (10.250.0.9). All external traffic to 1863/TPC gets redirected back from the firewall to the 10.250.0.9, even its own!

    Obs: i also tried to split the whole internal LAN into different subnets, such as 10.250.0.0/28 (for the internal servers, including the MSN Proxy) and 10.250.0.16/28 (for all the workstations), but that did not have any effect on the port redirection problem, since it's not being possible to create exclusions for the port redirection rule.

    pfsense is 1.2.3-RELEASE.

    Would anyone have any ideas or suggestions?

    Thanks a lot


  • Rebel Alliance Developer Netgate

    This kind of redirection does not work going back to the same interface you originate from. You need a separate interface such as a DMZ to keep the proxy/filter box on.



  • Ok, thanks. But, how do i create the new redirection for the DMZ? Maybe something like: interface LAN, ext. port range 1863, NAT IP <dmz's ip="" address?="">, int. port range 1863?

    Will pfsense translate all internal ip addresses acessing the DMZ host to its own interface address as source? That would still be a problem.</dmz's>


  • Rebel Alliance Developer Netgate

    @RoFz:

    Ok, thanks. But, how do i create the new redirection for the DMZ? Maybe something like: interface LAN, ext. port range 1863, NAT IP <dmz's ip="" address?="">, int. port range 1863?</dmz's>

    Yes

    @RoFz:

    Will pfsense translate all internal ip addresses acessing the DMZ host to its own interface address as source? That would still be a problem.

    No, not unless you tell it to do that with a manual outbound NAT rule. Otherwise internal networks route without NAT.



  • Jimp, thanks, it worked perfectly. Is that a characteristic of pfsense or a conceptual TCP/IP problem? I haven't tested the initial setup with a regular iptables or any other firewall, so that's why i'm trying to elaborate a little more the problem.


  • Rebel Alliance Developer Netgate

    It's a limitation in the underlying firewall software, but it's also considered a best practice to keep such a server in a separate trusted subnet away from untrusted clients.


Log in to reply