1:1 NAT port forward oddity

  • I have a virtualized server that I've assigned one of my external IP's to using 1:1 NAT. All of my outbound traffic translates to the address I have selected for it, so that works as intended.

    However… I am wanting to setup an SSH rule that would permit access on port 6500 externally and re-translate to port 22 internally. It works, but much to my surprise I was able to get ssh via port 22 as well  :o

    I'm not sure I've configured everything correctly, but here are the relevant entries:
    1:1 NAT entry

    SSH NAT rule

    I'm thinking this is correct… but still at a loss as to how I can also get there via port 22 as well as 6500!!??

    Running pfSense 2.0-RC1

  • Rebel Alliance Developer Netgate

    You can't pull that off with 1:1 NAT. It will always let in port 22 directly because NAT gets applied before the firewall rules.

    What you need to do is move the port that it's listening on directly in the ssh daemon on that server.

    I haven't tried this, but you could try adding a port forward for 22 (external) to that box's public IP that goes nowhere (a random unused port, an IP that doesn't exist, etc, etc)

  • Interesting… I did not realize that was a side effect of 1:1 NAT, so now I know and it makes sense :)

    I've reverted back to source based routing and port forwarding, seems to be the better solution for what I am trying to accomplish.

Log in to reply