Server publishing (ISA/TMG equivilant) via Destination & Source NAT

geek82

Could someone please evaluate the strategy I'm taking here to make sure it doesn't open any gaping security holes?

It took me a good many hours in research and tinkering, but I was finally able to forward ports to internal servers which do not use pfsense as their gateway.  Hope this guide helps someone else using pfsense as a backup, or transition from ISA/TMG.  This will allow you to forward ports (RDP - 3389) for example, to an internal server/desktop using another gateway.  DISCLAIMER:  Access logs will show the pfsense as the originating address, which could be a problem if you are trying to track down malicious traffic.  Also, setting the outbound mode to normal will probably kill your outbound NAT for clients using pfsense as a internet gateway.

-Firewall -> NAT -> Outbound:  Set mode to Manual
-Firewall -> NAT -> Port Forward -> Add
    -Interface:  WAN
    -Destination: WAN Address
    -Destination port rante:  Your outside port (MS RDP in my case)
    -Redirect Target IP:  Internal server ip address (192.168.0.20)
    -Redirect Target Port:  Your inside port (MS RDP)
    -Filter rule association: Create new
    -Save
-Firewall -> NAT -> Outbound -> Add
    -Interface: LAN
    -Protocol: Any
    -Source:  Any
    -Destination:  Your internal server IP  (192.168.0.20/32)
    -Destination port:  Your internal server port (3389)
    -Translation Address:  Interface address
    -Save

It's just that easy!  This should also work for redirecting a nonstandard outside port to a standard inside port (ie.  128.100.100.128:33389 -> 192.168.0.20:3389).  Just change the port under the Port Forward destination port range.  Good luck!