Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Using port aliases as port forwarding targets

    Scheduled Pinned Locked Moved NAT
    3 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jason0
      last edited by

      Hello,

      For the most part, my port forwarding works fine.  I have a question regarding port forwarding groups of port numbers that are not sequential, and don't match between alias groups.

      I include my test details below.  I tested it by running tcpdump on the target system, and using telnet to the wan port in question on the source.  I verified connection attempts on both the target systems, and in the pfsense system firewall logs.  I chose tcp port numbers not in use on the firewall, or on the redirected server.

      My example uses two aliases.  Note that they both have four ports in them.  Also note that the first port number in each of them matches.

      zports

      • 23

      • 28

      • 37

      • 88

      zrealports

      • 23

      • 80

      • 442

      • 8080

      My NAT rule test read as follows:

      IF      proto  src_ip    src_port    dst_ip                  dst_port    Nat_ip              Nat_ports
      WAN  TCP    *          *              <wan address="">zports        <lan server="">zports

      And connection attempts worked as follows:

      • Connect to wan port 23 got forwarded to lan server port 23

      • Connect to wan port 37 got forwarded to lan server port 37

      • Connect to wan port 48 got forwarded to lan server port 48

      • Connect to wan port 227 got forwarded to lan server port 227

      When I changed the NAT rule test to read:

      IF      proto  src_ip    src_port    dst_ip                  dst_port    Nat_ip              Nat_ports
      WAN  TCP    *          *              <wan address="">zports        <lan server="">zrealports

      Connections to any of the port numbers aliased by zports only went to the first port number listed in the zrealports alias.

      =========================================================

      In the first NAT case, I noticed that incoming connections were forwarded to the respective ports on the server.  However in the second case, attempts at each port in the zport list only got mapped to the first entry in zrealports

      The first NAT case seems to make sense: if forwarding to the same port numbers, the first port entry maps to the first entry, the second to the second, and so on.

      If this behaviour is proper, I would then expect forwarding to a different set of port numbers to map in a similar manner if they each had the same number of ports.

      My question is: Are these behaviors a coincidence?  Can I rely on them?

      In other words, when port forwarding a set of ports to the same set of ports, will they always map 1:1?
      And when mapping a set of ports to a different set of ports, will they always not map 1:1?</lan></wan></lan></wan>

      1 Reply Last reply Reply Quote 0
      • marcellocM
        marcelloc
        last edited by

        I would prefer to use same set of ports on alias and specif nat for different source and dest ports.

        Treinamentos de Elite: http://sys-squad.com

        Help a community developer! ;D

        1 Reply Last reply Reply Quote 0
        • J
          jason0
          last edited by

          @marcelloc:

          I would prefer to use same set of ports on alias and specif nat for different source and dest ports.

          I think I understand: if you are port forwarding the same ports then you use an alias.  If the ports are different, you specify them one-by-one.

          It seems that's the only way to do it.  I was just curious if the behavior I saw was a coincidence, or if it was operating as designed.

          –jason

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.