Using port aliases as port forwarding targets

NAT
Log in to reply
  • J

    Hello,

    For the most part, my port forwarding works fine.  I have a question regarding port forwarding groups of port numbers that are not sequential, and don't match between alias groups.

    I include my test details below.  I tested it by running tcpdump on the target system, and using telnet to the wan port in question on the source.  I verified connection attempts on both the target systems, and in the pfsense system firewall logs.  I chose tcp port numbers not in use on the firewall, or on the redirected server.

    My example uses two aliases.  Note that they both have four ports in them.  Also note that the first port number in each of them matches.

    zports

    • 23

    • 28

    • 37

    • 88

    zrealports

    • 23

    • 80

    • 442

    • 8080

    My NAT rule test read as follows:

    IF      proto  src_ip    src_port    dst_ip                  dst_port    Nat_ip              Nat_ports
    WAN  TCP    *          *              <wan address="">zports        <lan server="">zports

    And connection attempts worked as follows:

    • Connect to wan port 23 got forwarded to lan server port 23

    • Connect to wan port 37 got forwarded to lan server port 37

    • Connect to wan port 48 got forwarded to lan server port 48

    • Connect to wan port 227 got forwarded to lan server port 227

    When I changed the NAT rule test to read:

    IF      proto  src_ip    src_port    dst_ip                  dst_port    Nat_ip              Nat_ports
    WAN  TCP    *          *              <wan address="">zports        <lan server="">zrealports

    Connections to any of the port numbers aliased by zports only went to the first port number listed in the zrealports alias.

    =========================================================

    In the first NAT case, I noticed that incoming connections were forwarded to the respective ports on the server.  However in the second case, attempts at each port in the zport list only got mapped to the first entry in zrealports

    The first NAT case seems to make sense: if forwarding to the same port numbers, the first port entry maps to the first entry, the second to the second, and so on.

    If this behaviour is proper, I would then expect forwarding to a different set of port numbers to map in a similar manner if they each had the same number of ports.

    My question is: Are these behaviors a coincidence?  Can I rely on them?

    In other words, when port forwarding a set of ports to the same set of ports, will they always map 1:1?
    And when mapping a set of ports to a different set of ports, will they always not map 1:1?</lan></wan></lan></wan>

    0
  • marcelloc

    I would prefer to use same set of ports on alias and specif nat for different source and dest ports.

    0
  • J

    @marcelloc:

    I would prefer to use same set of ports on alias and specif nat for different source and dest ports.

    I think I understand: if you are port forwarding the same ports then you use an alias.  If the ports are different, you specify them one-by-one.

    It seems that's the only way to do it.  I was just curious if the behavior I saw was a coincidence, or if it was operating as designed.

    –jason

    0

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy