Port forward to another interface



  • Hello.

    I have pfsense V2.0

    4 ethernets
    LAN -> 192.168.250.0 /24
    WAN -> PPPoE -> xxx.xxx.xxx.xxx (static 1)
    OPT1 -> PPPoE -> yyy.yyy.yyy.yyy (static 2)
    OPT2 -> Static -> 192.168.1.1 (pc connected with crossed cable 192.168.1.254)

    Now, I can ping from lan 192.168.1.254.
    If someone hit the xxx.xxx.xxx.xxx ip at port 5555 I want to port forward him at 192.168.1.254 at port 22(ssh).

    I created a port forward and automatic rule creation but it is not working. I wonder if I should do something because it is a different interface.

    ??? ???



  • What is the default gateway of the pfSense?
    Unless it's not the gateway connected to the WAN interface it will probably not work out of the box.

    Also: http://doc.pfsense.org/index.php/Port_Forward_Troubleshooting



  • It is not the WAN Interface  :o



  • There is no possibility to work with Opt internface ?



  • Can you please clarify from where on which interface you're connecting and what the routes (default gateway) on the pfSense are?

    It is possible, but might require a different approach (source NATing).



  • Default Gateway is the Opt1 interface and I want to forward port 5555 from Opt1 interface to 192.168.1.254 that is connectet to Opt2 interface.

    The Lan interface has 192.168.250.0/24
    The Opt2 Interface has 192.168.1.0/24
    The Opt1 Interface has static pppoe from ISP (default)
    The WAN Interfacer has static pppoe from ISP. (not used temporary).



  • Ok like this it should just work out of the box.

    Did you follow the port forward troubleshooting guide?

    If you enable logging for the rule allowing the traffic: do you see it in the log? Do you see anything in the log?



  • I can see a pass !

    Jul 12 16:22:32 4CHANNELSMAIL x.x.x.x:36359 192.168.1.254:22 TCP:S



  • If you look at the traffic with TCP dump (or wireshark on the server) do you see any frames actually going to the server?



  • It is not actualy a server but a router. It is a router that makes PPPoE passthrough to the Opt1 interface and port2 of router is connected to Opt2 because my provider wants ssh access to the router and this is why I want the port forward this way.



  • Ok my guess would be, that this router might try to answer to the incoming connection directly without sending it back over the pfSense.

    To avoid this you can enable source NAT on the pfSense:

    Go to: Firewall –> NAT --> outbound

    • Enable manual outbound rule generation
    • Create a rule:
    • Interface: OPT2
    • Source: any
    • Sourceport: any
    • Destination: 192.168.1.254
    • Destinationport: 22
    • Leave the rest on default (translation on interface address, no static port)

    Like this all traffic to the ssh server appear as from the pfSense --> local traffic.



  • It didn't work

    :(



  • What didn't work?

    Do you see traffic going to the ssh server?
    Can you even log into the ssh server locally?
    –> Did you follow the portforwarding troubleshooting guide?



  • I thing I found the problem…. I will be absolutely sure tomorrow that I will speak with my provider.

    I open an ssh to the router (192.168.1.254) and I tried to ping 192.168.250.5 (pfsense) and I got network unreachable. Then I saw that the static route 192.168.250.0/24->192.168.1.1 is not working !

    I thing this is the problem. The router cannot send the packets back to pfsense.

    Tomorrow I will have news.


Log in to reply