Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Creating relayd relays instead of redirections?

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    13 Posts 2 Posters 4.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Snidely Whiplash
      last edited by

      I'm running 2.0-RC1 (i386) built on Sat Feb 26 15:30:26 EST 2011.

      I have servers at an office and at a datacenter.  The office and datacenter LANs are connected by a 100mb/s circuit.  Office and datacenter each
      have their own internet service so machines at the datacenter have a different default gateway than machines at the office.  I want to open ports
      on pfSense at the office so internet users can hit daemons on machines at the datacenter.  I can't just forward the ports from
      the office router to the datacenter IPs because the datacenter machines' default route is not the office's ISP.  I think I have to use a relayd relay to act as a proxy for this, right?

      On pfSense I have enabled a pool and a virtual server but that appears to just create a relayd redirection.

      I assume I should not edit /var/etc/relayd.conf directly since it is recreated when pfSense reboots, correct?  How do I create a relayd relay?

      Thanks,
      Andrew

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        No need for relayd there.

        Just use a port forward and add an outbound NAT rule on the LAN side that will NAT the traffic heading toward that server to an IP on the LAN (either the firewall's LAN IP, or another VIP you have on the LAN subnet.

        EDIT: Note that you'll have to switch to manual outbound NAT in order to add that rule and have it work.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • S
          Snidely Whiplash
          last edited by

          Thanks!  Do I need a Virtual IP also?

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Only if you want the traffic to come from a different IP than the LAN IP of the firewall.

            You lose the source IP in the process, because of the NAT, so you might want to put that on another IP just so it's easy to distinguish.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • S
              Snidely Whiplash
              last edited by

              Not working yet.  Can you give me a little more detail on how to accomplish this?  I'm trying to forward port 3389 (RDP) to a machine on 192.168.3.6.  My pfSense firewall is on 192.168.3.254 with, say, public ip 123.123.123.123.  I have selected "AON - Advanced Outbound NAT".  I can successfully forward ports to other machines on the LAN as long as they're using the pfSense LAN IP as the default gateway so I know things are working otherwise.

              Is the NAT port forward set up just like any other would be? (interface=WAN, Destination Type=any, redirect port range=3389-3389, redirect target ip=192.168.3.6, target port=3389)

              What about the outbound mapping?  Should the source and destination types be "any" or "network"?  Translation is what?  "any"?  how about checking that "static port" box?

              Thanks!
              Andrew

              1.jpg
              1.jpg_thumb

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                You're close. On that last rule, make the source IP and port "any", the destination 192.168.3.0/24, destination port 3389, nat port "any"

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • S
                  Snidely Whiplash
                  last edited by

                  Looks like that did it.  Thanks a lot for the help!
                  -Andrew

                  1 Reply Last reply Reply Quote 0
                  • S
                    Snidely Whiplash
                    last edited by

                    I originally created a port forward to machine "A" on my LAN which uses pfSense as its default gateway.  It worked.  I next created a port forward to machine "B" which uses a differnt default gateway and it didn't work.  I selected "AON - Advanced Outbound Nat" and added a mapping so the daemon on "B" could be reached.  Now A and B both work.  I added another port forward to machine "C" which, like box "A", uses pfSense as its default gateway.  It didn't work.  I can only think this is because with AON selected "no outbound NAT rules will be automatically generated any longer".  I presume an outbound rule specific to "A" was automatically generated when I first forwarded to "A" before selecting AON.

                    Where is that rule held?

                    If I could see that rule I could more easily duplicate it for "C".  Nothing specific to the "A" forward was added to Outbound Mappings so I can only assume it's stored elsewhere.

                    Thought perhaps I can't access "C" because there is a firewall rule permitting me to hit "A" which is not in place for "C".  Took a look and it appears that an identical firewall rule has been automatically generated for each forwarded port.

                    The Cisco RVS4000 will by default forward ports to machines not using it as the default gateway.  Can pfSense(or relayd?) be made to behave that way too?

                    Thanks,
                    Andrew

                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      Normally when switching from Auto to Manual, it populates the rule list automatically with the equivalent set of rules. On 2.0 it does a much better job of that.

                      Outbound rules would have only been generated on connections with gateways selected (meaning WAN-types)

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • S
                        Snidely Whiplash
                        last edited by

                        Is that auto-populating not working?  because the "A" forward was in place when I changed and the attached image is of the only mappings I see.  All my Port Forwards have If=WAN.

                        3.jpg
                        3.jpg_thumb

                        1 Reply Last reply Reply Quote 0
                        • jimpJ
                          jimp Rebel Alliance Developer Netgate
                          last edited by

                          Then there was no outbound NAT for that. Outbound NAT wouldn't have anything to do with a normal port forward, so it probably wasn't doing any.

                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                          Need help fast? Netgate Global Support!

                          Do not Chat/PM for help!

                          1 Reply Last reply Reply Quote 0
                          • S
                            Snidely Whiplash
                            last edited by

                            Just realized that if I change my dest port in my outbound NAT rule to "any" I don't need a rule for each port forward I add.  Fantastic.  I though I was going to have to add an outbound entry for each port forward when in fact I just need this one…

                            3.jpg
                            3.jpg_thumb

                            1 Reply Last reply Reply Quote 0
                            • jimpJ
                              jimp Rebel Alliance Developer Netgate
                              last edited by

                              That will NAT things that may not need it, though, not just things that don't have the gateway set. That's up to you though.

                              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                              Need help fast? Netgate Global Support!

                              Do not Chat/PM for help!

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.