Portforwarding possible in my setup

  • Hi there. I have a setup where I use public IP's on both sides of pfSense. The WAN side is using a single address, and from the outside all the LAN side public IP's are routed to the single WAN address (gateway).

    Packets from the outside travels this way:
    Internet -> WAN IP gateway (pfSense) -> firewall (pfSense) -> LAN IP (server)

    Unfortunately I don't use CARP or virtual IP's as I wasn't able to get it working in the early days.

    Anyway, I now have a need for forwarding specific ports (or possibly everything) from the internal LAN IP's to another ISP outside the LAN subnet.

    Any ideas on how I could do that?

  • When you say you need to forward ports from the Internal LAN to an external IP, exactly what do you mean? Do you want people who connect to your IP to then be redirected to another ISP?

  • I mean forward packets to another address - I don't know if "redirected" is the right term for this.

    This is the setup expressed in pseudo addresses.

    A1 is a pfSense WAN address, and it works as the gateway address for both B1 and B2. So a request for B1 will be routed through A1.
    Now when someone tryes to hit B1, I want to forward the packets to X3, which is an arbitrary internet address.
    All the IP's are public if that matters (no private ranges).

    pfSense WAN IP: A1
    pfSense LAN server1: B1
    psSense LAN server2: B2
    ISP server: X3

    Currently I'm forwarding the ports directly on the B1 server, which works fine. But I'd like to get it to work with pdSense, as I can then shutdown the server.

  • You could, but as the responses will come back from X3, most firewalls will then discard the packets.

  • I've done exactly the same with IPCop many years ago. No firewall rules or anything to setup. I think IPCop was allowing all responses where it had initiated the TCP connection, which means that it would automatically let the X3 responses through.

    I have no idea on how to do it with pfSense with the setup I'm running now. Most port forwarding documentation on pfSense describes how you do it with virtual IP's - but I can't do this without askin my ISP not to route B1 and B2 to pfSense.

  • The trouble isn't the local firewall - it's the remote one. Packets will go out to your WAN IP and come back from another - any stateful firewall will then drop them.

  • Maybe I misunderstand something then. How come that I on the LAN server (with a public IP) can do portforwarding seamlessly. Why is pfSense unable to do what the the LAN server is doing?

    I mean the LAN server is getting a packet from X and forwards this to Y, gets the response and sends it back to X.
    pfSense could get the packet from X, figure out it was for the LAN server, forward it to Y, get the response and send it back to X.

    I must have overlooked something :-)

  • If you're re-writing the source address, on your LAN server, then you could get it to work - and that may be what you're doing. Just port forwarding however won't work.

Log in to reply