Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Portforwarding possible in my setup

    Scheduled Pinned Locked Moved NAT
    8 Posts 2 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      KPE
      last edited by

      Hi there. I have a setup where I use public IP's on both sides of pfSense. The WAN side is using a single address, and from the outside all the LAN side public IP's are routed to the single WAN address (gateway).

      Packets from the outside travels this way:
      Internet -> WAN IP gateway (pfSense) -> firewall (pfSense) -> LAN IP (server)

      Unfortunately I don't use CARP or virtual IP's as I wasn't able to get it working in the early days.

      Anyway, I now have a need for forwarding specific ports (or possibly everything) from the internal LAN IP's to another ISP outside the LAN subnet.

      Any ideas on how I could do that?

      1 Reply Last reply Reply Quote 0
      • Cry HavokC
        Cry Havok
        last edited by

        When you say you need to forward ports from the Internal LAN to an external IP, exactly what do you mean? Do you want people who connect to your IP to then be redirected to another ISP?

        1 Reply Last reply Reply Quote 0
        • K
          KPE
          last edited by

          I mean forward packets to another address - I don't know if "redirected" is the right term for this.

          This is the setup expressed in pseudo addresses.

          A1 is a pfSense WAN address, and it works as the gateway address for both B1 and B2. So a request for B1 will be routed through A1.
          Now when someone tryes to hit B1, I want to forward the packets to X3, which is an arbitrary internet address.
          All the IP's are public if that matters (no private ranges).

          pfSense WAN IP: A1
          pfSense LAN server1: B1
          psSense LAN server2: B2
          ISP server: X3

          Currently I'm forwarding the ports directly on the B1 server, which works fine. But I'd like to get it to work with pdSense, as I can then shutdown the server.

          1 Reply Last reply Reply Quote 0
          • Cry HavokC
            Cry Havok
            last edited by

            You could, but as the responses will come back from X3, most firewalls will then discard the packets.

            1 Reply Last reply Reply Quote 0
            • K
              KPE
              last edited by

              I've done exactly the same with IPCop many years ago. No firewall rules or anything to setup. I think IPCop was allowing all responses where it had initiated the TCP connection, which means that it would automatically let the X3 responses through.

              I have no idea on how to do it with pfSense with the setup I'm running now. Most port forwarding documentation on pfSense describes how you do it with virtual IP's - but I can't do this without askin my ISP not to route B1 and B2 to pfSense.

              1 Reply Last reply Reply Quote 0
              • Cry HavokC
                Cry Havok
                last edited by

                The trouble isn't the local firewall - it's the remote one. Packets will go out to your WAN IP and come back from another - any stateful firewall will then drop them.

                1 Reply Last reply Reply Quote 0
                • K
                  KPE
                  last edited by

                  Maybe I misunderstand something then. How come that I on the LAN server (with a public IP) can do portforwarding seamlessly. Why is pfSense unable to do what the the LAN server is doing?

                  I mean the LAN server is getting a packet from X and forwards this to Y, gets the response and sends it back to X.
                  pfSense could get the packet from X, figure out it was for the LAN server, forward it to Y, get the response and send it back to X.

                  I must have overlooked something :-)

                  1 Reply Last reply Reply Quote 0
                  • Cry HavokC
                    Cry Havok
                    last edited by

                    If you're re-writing the source address, on your LAN server, then you could get it to work - and that may be what you're doing. Just port forwarding however won't work.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.