• I'm running 2.0-RC1 (i386) built on Sat Feb 26 15:30:26 EST 2011.

    I have servers at an office and at a datacenter.  The office and datacenter LANs are connected by a 100mb/s circuit.  Office and datacenter each
    have their own internet service so machines at the datacenter have a different default gateway than machines at the office.  I want to open ports
    on pfSense at the office so internet users can hit daemons on machines at the datacenter.  I can't just forward the ports from
    the office router to the datacenter IPs because the datacenter machines' default route is not the office's ISP.  I think I have to use a relayd relay to act as a proxy for this, right?

    On pfSense I have enabled a pool and a virtual server but that appears to just create a relayd redirection.

    I assume I should not edit /var/etc/relayd.conf directly since it is recreated when pfSense reboots, correct?  How do I create a relayd relay?


  • Rebel Alliance Developer Netgate

    No need for relayd there.

    Just use a port forward and add an outbound NAT rule on the LAN side that will NAT the traffic heading toward that server to an IP on the LAN (either the firewall's LAN IP, or another VIP you have on the LAN subnet.

    EDIT: Note that you'll have to switch to manual outbound NAT in order to add that rule and have it work.

  • Thanks!  Do I need a Virtual IP also?

  • Rebel Alliance Developer Netgate

    Only if you want the traffic to come from a different IP than the LAN IP of the firewall.

    You lose the source IP in the process, because of the NAT, so you might want to put that on another IP just so it's easy to distinguish.

  • Not working yet.  Can you give me a little more detail on how to accomplish this?  I'm trying to forward port 3389 (RDP) to a machine on  My pfSense firewall is on with, say, public ip  I have selected "AON - Advanced Outbound NAT".  I can successfully forward ports to other machines on the LAN as long as they're using the pfSense LAN IP as the default gateway so I know things are working otherwise.

    Is the NAT port forward set up just like any other would be? (interface=WAN, Destination Type=any, redirect port range=3389-3389, redirect target ip=, target port=3389)

    What about the outbound mapping?  Should the source and destination types be "any" or "network"?  Translation is what?  "any"?  how about checking that "static port" box?


  • Rebel Alliance Developer Netgate

    You're close. On that last rule, make the source IP and port "any", the destination, destination port 3389, nat port "any"

  • Looks like that did it.  Thanks a lot for the help!

  • I originally created a port forward to machine "A" on my LAN which uses pfSense as its default gateway.  It worked.  I next created a port forward to machine "B" which uses a differnt default gateway and it didn't work.  I selected "AON - Advanced Outbound Nat" and added a mapping so the daemon on "B" could be reached.  Now A and B both work.  I added another port forward to machine "C" which, like box "A", uses pfSense as its default gateway.  It didn't work.  I can only think this is because with AON selected "no outbound NAT rules will be automatically generated any longer".  I presume an outbound rule specific to "A" was automatically generated when I first forwarded to "A" before selecting AON.

    Where is that rule held?

    If I could see that rule I could more easily duplicate it for "C".  Nothing specific to the "A" forward was added to Outbound Mappings so I can only assume it's stored elsewhere.

    Thought perhaps I can't access "C" because there is a firewall rule permitting me to hit "A" which is not in place for "C".  Took a look and it appears that an identical firewall rule has been automatically generated for each forwarded port.

    The Cisco RVS4000 will by default forward ports to machines not using it as the default gateway.  Can pfSense(or relayd?) be made to behave that way too?


  • Rebel Alliance Developer Netgate

    Normally when switching from Auto to Manual, it populates the rule list automatically with the equivalent set of rules. On 2.0 it does a much better job of that.

    Outbound rules would have only been generated on connections with gateways selected (meaning WAN-types)

  • Is that auto-populating not working?  because the "A" forward was in place when I changed and the attached image is of the only mappings I see.  All my Port Forwards have If=WAN.

  • Rebel Alliance Developer Netgate

    Then there was no outbound NAT for that. Outbound NAT wouldn't have anything to do with a normal port forward, so it probably wasn't doing any.

  • Just realized that if I change my dest port in my outbound NAT rule to "any" I don't need a rule for each port forward I add.  Fantastic.  I though I was going to have to add an outbound entry for each port forward when in fact I just need this one…

  • Rebel Alliance Developer Netgate

    That will NAT things that may not need it, though, not just things that don't have the gateway set. That's up to you though.