Outbound NAT Port Redirection

  • Hi, I am trying to figure out how I can use pfSense to redirect all requests on the LAN side to a couple of specific public IPs on port 8080 to the same IP but using port 80.  Returning traffic from these Public IPs will be served on port 80 and needs to be translated back to 8080 to be understood by the LAN side client.

    Hope that makes sense?!

    Its for a customer proof of concept and for reasons I won't bore you with I can't change the config of either the client or the server to match each other.



  • I don't know if it would work, but you could try manual outbound NAT.

  • I've tried disabling Automatic Outbound NAT and creating a rule (see attached) to test translating port 8008 to a port 21 and then trying to telnet to an external FTP server on 8008 to test the theory.  This fails though.

    I'm told that this is possible using IPTables with a rule that would look like this:
    -A PREROUTING ! -i eth0 -p tcp -m tcp –dport 8008 -j REDIRECT --to-ports 21

    As I guess pfSense has IPTables at it's heart then this should be possible somehow?



  • Banned

    Pftables is the heart of PFSense….not IP tables.

  • Does that mean the function is not supported then?  :(

  • Dunno, you cannot use telnet to connect to a ftp server. Try a client like filezilla.

  • I have been working on this for a week now but i cant seems to make it work can someone help do a port forwarding.

    from my publicIP to my localIP

    ID Proto Source Port Destination Port Gateway Queue Schedule Description
    TCP * * 81 * none   NAT Webserver

    If Proto Src. addr Src. ports Dest. addr Dest. ports NAT IP NAT Ports Description
    EASTERNTEL TCP * * EASTERNTEL address 81 81 Webserver

  • The rules look good. What does your outbound NAT look like?  Are you testing from inside or from the internet? Is your server listening on port 81?
    Can you access the webserver from a local client?

  • You can use port forwards to redirect traffic in that fashion. One thing to keep in mind is if the traffic is being redirected back out the same interface it came in on, you must use outbound NAT to translate the source IP to the firewall's IP on that interface so the replies go back to the firewall where they can get translated back to the original port, otherwise the destination server replies back directly to the source host, which breaks everything.

Log in to reply