Need help understanding GUI creation of rdr rules



  • I'm new to pfsense but have been using OpenBSD and pf for a long time.

    I'm trying to take my pf.conf ruleset from OpenBSD and manually re-create it within pfsense, but am having trouble grokking the way pfsense wants me to do it within its GUI.

    For instance:

    Handle FTP via OpenBSD's ftp-proxy

    rdr on LAN-interface proto tcp from any to any port 21 -> 127.0.0.1 port 8081
    rdr on OPT-interface proto tcp from any to any port 21 -> 127.0.0.1 port 8081

    (I configured the ftp-proxy to run on localhost at TCP 8081 under OpenBSD).

    Can someone suggest how I would recreate the above in the GUI's NAT -> Port Forward?

    Is pftpx the analog to OpenBSD's ftp-proxy?  This FAQ says pfsense's ftp-proxy is running on localhost:

    http://faq.pfsense.org/index.php?action=artikel&cat=10&id=103&artlang=en

    But ps -aux and the pfsense GUI seem to indicate that pftpx is bound to each interface.  So I think the FAQ entry is outdated?

    Similarly, I'm not sure how to re-create:

    Let client systems behind FW use dnscache on FW

    rdr on LAN-interface proto udp from any to LAN-interface-IP/32 port 53 -> 127.0.0.1 port 53

    and port-forwards from the outside to a host in the DMZ:

    rdr on WAN-interface proto tcp from any to any port 80 -> IP-in-DMZ port 80



  • 1. Enable the FTP helper on the Interfaces -> WAN area.
    2. Delete any prior ftp port forwards and port forward rules pertaining to port 21/ftp.
    3. Create the nat port forward for 21.

    This will launch pftpx as needed for port forwards at this point



  • I'm trying to create rules which allow ftp (through the ftp-proxy) outbound from the inside and DMZ LANs.

    1. Enable the FTP helper on the Interfaces -> WAN area.

    Why run the ftp helper on the WAN interface?  Wouldn't you want to run the helper on the inbound interface(s) (if I can't run it on localhost)?

    3. Create the nat port forward for 21.

    Can you walk me through what that rule would look like:

    Is the Interface LAN?  Or WAN?  Why?
    Is the external address any?  or Interface addr?
    Is the NAT IP the IP where pftpx is running?
    Do I set the local port to 8021?





  • Thanks, I will check out that URL.

    My original question isn't really an FTP question, however.  My FTP example was merely an instance of a larger problem: I'm having trouble figuring out how to translate rdr rules from PF into pfsense.

    For instance, in translating this rdr rule to pfsense:

    rdr on WAN-interface proto tcp from any to any port 80 -> IP-in-DMZ port 8080

    What's the "external address"?  Is IP-in-DMZ the "NAT IP"?  Is the "Local Port" 8080?

    And in:

    rdr on LAN-interface proto udp from any to LAN-interface-IP/32 port 53 -> 127.0.0.1 port 53

    What's the "external address"?  Is it LAN-interface-IP/32?

    Are there any tutorials that illustrate translating nat, binat, rdr and other PF rules into the pfsense GUI?



  • pfSense operates on the packet incoming to an interface which creates a state.

    So think of it as incoming to a interface initially (SYN).


Log in to reply