Port forward
-
2.0-BETA4 (i386) built on Tue Aug 17 04:34:37 EDT 2010 FreeBSD 8.1-RELEASE
Although I have successfully done other NAT's and port forwards in the past, the NAT screen is confusing me a bit for this problem.
I want all traffic from a single (ADD: remote internet IP (AKA source)) to be NAT'd to a single internal IP.
So I select source advanced, type single host and put in the IP - good so far.
Source port - any also good.
Destination - well I guess its my sole IP WAN address.
Destination port - Here is the first problem. There is no 'any' here. ???
Redirect target IP - easy 192.168.5.200
Redirect Target port - Second problem. No 'any'. I just want all traffic from an single internet address to be redirected to 192.168.5.200
I'm obviously missing something, or a lot of things.
How to I configure for this situation.
Single internet IP redirected all ports to 192.168.5.200
?????
-
For the destination port, you should be able to add a port range. If you do, the redirect port is just the first port in the range and it figures out the rest.
-
For the destination port, you should be able to add a port range. If you do, the redirect port is just the first port in the range and it figures out the rest.
OK - thanks - that worked.
-
This is what 1:1 mapping is for!
-
Err…no.
1:1 mapping forwards all traffic from anywhere.
I just want it forwarded IF it comes from a certain, single IP
-
This is what firewall rules are for.
NAT: forward ports. To forward all ports (as you described in your first post) you should use 1:1 NAT.
Firewall: limit access. (what you want in your last post? but you describe it differently in your first post)
-
Sorry. I rehashed this a few times and had other questions whilst it was on my mind. So it might appear a bit disjointed, but I'm trying to understand.
I must be looking at it differently.
To me NAT = Network Address Translation is mapping or remapping, if you like, one address space to another. e.g. Changing a public IP address to a private IP address.
Port forwarding is, well, port forwarding. e.g. mapping port 80 to 8080.Two different things, but often used together. You can port forward without NAT and you can NAT without port forwarding.
In fact, that's something that has puzzled me about pfsense. What is the point of duplicating port settings in the NAT section when its the rules section that has the final say..
An example. Why allow/specify a port range in the NAT section e.g.1500-1600, only to disallow it in the rules section ? Why not just NAT and let the rules allow, reject or deny ?
Loading ?
From what I have read about your 1:1 mapping (aka bidirectional mapping) "If you add a 1:1 NAT entry for any of the interface IPs on this system, it will make this system inaccessible on that IP address. i.e. if you use your WAN IP address, any services on this system (IPsec, OpenVPN server, etc.) using the WAN IP address will no longer function."
I don't want to send all the internet to a single computer like this.
Oh…I updated my first post what I mean't to say for clarity. Not sure it helps though as I had thought it was explained when I mentioned selecting the source IP.
Let me restate what I want to do.
I want to create a special rule/path for one remote IP. (that's someone, remotely, who is going to be connecting to my firewall. So I want to check the source address (ie. their IP) if it matches then NAT that connection to a single computer on a private address. All other connections from other remote IP's will be dealt with according to my current rules or rejected by the default rule.
-
Port forwards and firewall rules are separate because many times you want to write firewall rules without any related port forward, in a bridged setup this is very common.
-
There are 4 sets of rules.
Firewall –> NAT --> outbound.
Here you can specify rules how traffic should be NATed.
The default rules NAT everything to an interface if it has a gateway defined (aka. it's a WAN).Firewall --> NAT --> port forward
These are the normal portforwards.Firwall --> NAT --> 1:1
These rules are to effectively map one address space into another.
Inbound traffic is mapped to a server and outbound traffic is mapped to the specified VIP.
You cannot use your primary WAN to 1:1 NAT since on the WAN already some services are running.
This is usually used if you have multiple public IPs. (Or want to map one private address-space into another, this case used to together with a outbound rule).Firewall
The firewall rules. They control who can access what, regardless of the any other rules.The reason why these rules are not tied together is, because there are a ton of applications where you need to combine different rules to achieve what you want.
examples:
Allow access to your server only during office-times.
--> You need a NAT rule to access the servers, but need schedules firewall rules to allow dependant on time.As already mentioned above: map one private subspace into another, because maybe multiple offices share the same subnet.
Combine 1:1 NAT with outbound rules. -
What sun-sense wants to do, is create a NAT port forwarding rule to forward all external traffic from anywhere to the internal IP and port he wants the remote user to access. Then set a firewall rule on the WAN to allow access from only that remote IP that is supposed to be allowed. This will block all other traffic (you should be able to just edit the automatically created firewall rule made when creating the NAT port forward).
The only thing I'm not aware of a way to handle is forwarding some remote IPs to one internal machine at a particular port, and then forwarding other (or "any other") remote machines accessing the same port to a different internal destination machine and/or port. Technically this should be possible, but I'm not aware of how to set it up from the pfSense GUI–I may just not have figured it out (haven't tried).
The other answers here are correct from a technical explanation perspective, I'm just addressing the specific setup the question was about. The GUI is set up the way it is to allow as much possibility for as many different situations as possible, which may include multiple public and private IPs and networks, and multiple interfaces. The rules need to be very flexible to handle all possible use cases. They can get pretty wild!
-
What sun-sense wants to do, is create a NAT port forwarding rule to forward all external traffic from anywhere to the internal IP and port he wants the remote user to access.
Ugh..no. Not from anywhere.
But as I followed Danswartz's suggestion and responded that it worked on August 18, 2010, 11:01:51 am, its a moot point.
The limited testing I have done so shows:-
a) I can access that internal computer from the remote IP.
b) I can't access that internal computer from anywhere else remotely.
c) I can still access other servers from where I want to remotely.
d) Security scans from other locations show no other ports open, that shouldn't be open.
e) Firewall logs and packet capture logs show everything working as expected with nothing getting through that shouldn't.
I'm already refining my port range to something more suitable. I was just testing as I was having issues connecting due to unknown ports blocked and the logs were not showing any rejections originally.
-
Odd. Glad you have it working…I didn't mean "anywhere" but rather your NAT rule can only be defined with a source interface and not more specific (thus "from anywhere, as long as it's on this interface"), and further restrictions are at the firewall rule level.