Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    1:1 NAT port forward oddity

    Scheduled Pinned Locked Moved NAT
    3 Posts 2 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      digilink
      last edited by

      I have a virtualized server that I've assigned one of my external IP's to using 1:1 NAT. All of my outbound traffic translates to the address I have selected for it, so that works as intended.

      However… I am wanting to setup an SSH rule that would permit access on port 6500 externally and re-translate to port 22 internally. It works, but much to my surprise I was able to get ssh via port 22 as well  :o

      I'm not sure I've configured everything correctly, but here are the relevant entries:
      1:1 NAT entry

      SSH NAT rule

      I'm thinking this is correct… but still at a loss as to how I can also get there via port 22 as well as 6500!!??

      Running pfSense 2.0-RC1

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        You can't pull that off with 1:1 NAT. It will always let in port 22 directly because NAT gets applied before the firewall rules.

        What you need to do is move the port that it's listening on directly in the ssh daemon on that server.

        I haven't tried this, but you could try adding a port forward for 22 (external) to that box's public IP that goes nowhere (a random unused port, an IP that doesn't exist, etc, etc)

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • D
          digilink
          last edited by

          Interesting… I did not realize that was a side effect of 1:1 NAT, so now I know and it makes sense :)

          I've reverted back to source based routing and port forwarding, seems to be the better solution for what I am trying to accomplish.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.