Using port aliases as port forwarding targets
-
Hello,
For the most part, my port forwarding works fine. I have a question regarding port forwarding groups of port numbers that are not sequential, and don't match between alias groups.
I include my test details below. I tested it by running tcpdump on the target system, and using telnet to the wan port in question on the source. I verified connection attempts on both the target systems, and in the pfsense system firewall logs. I chose tcp port numbers not in use on the firewall, or on the redirected server.
My example uses two aliases. Note that they both have four ports in them. Also note that the first port number in each of them matches.
zports
-
23
-
28
-
37
-
88
zrealports
-
23
-
80
-
442
-
8080
My NAT rule test read as follows:
IF proto src_ip src_port dst_ip dst_port Nat_ip Nat_ports
WAN TCP * * <wan address="">zports <lan server="">zportsAnd connection attempts worked as follows:
-
Connect to wan port 23 got forwarded to lan server port 23
-
Connect to wan port 37 got forwarded to lan server port 37
-
Connect to wan port 48 got forwarded to lan server port 48
-
Connect to wan port 227 got forwarded to lan server port 227
When I changed the NAT rule test to read:
IF proto src_ip src_port dst_ip dst_port Nat_ip Nat_ports
WAN TCP * * <wan address="">zports <lan server="">zrealportsConnections to any of the port numbers aliased by zports only went to the first port number listed in the zrealports alias.
=========================================================
In the first NAT case, I noticed that incoming connections were forwarded to the respective ports on the server. However in the second case, attempts at each port in the zport list only got mapped to the first entry in zrealports
The first NAT case seems to make sense: if forwarding to the same port numbers, the first port entry maps to the first entry, the second to the second, and so on.
If this behaviour is proper, I would then expect forwarding to a different set of port numbers to map in a similar manner if they each had the same number of ports.
My question is: Are these behaviors a coincidence? Can I rely on them?
In other words, when port forwarding a set of ports to the same set of ports, will they always map 1:1?
And when mapping a set of ports to a different set of ports, will they always not map 1:1?</lan></wan></lan></wan> -
-
I would prefer to use same set of ports on alias and specif nat for different source and dest ports.
-
I would prefer to use same set of ports on alias and specif nat for different source and dest ports.
I think I understand: if you are port forwarding the same ports then you use an alias. If the ports are different, you specify them one-by-one.
It seems that's the only way to do it. I was just curious if the behavior I saw was a coincidence, or if it was operating as designed.
–jason
