Need help understanding GUI creation of rdr rules
-
I'm new to pfsense but have been using OpenBSD and pf for a long time.
I'm trying to take my pf.conf ruleset from OpenBSD and manually re-create it within pfsense, but am having trouble grokking the way pfsense wants me to do it within its GUI.
For instance:
Handle FTP via OpenBSD's ftp-proxy
rdr on LAN-interface proto tcp from any to any port 21 -> 127.0.0.1 port 8081
rdr on OPT-interface proto tcp from any to any port 21 -> 127.0.0.1 port 8081(I configured the ftp-proxy to run on localhost at TCP 8081 under OpenBSD).
Can someone suggest how I would recreate the above in the GUI's NAT -> Port Forward?
Is pftpx the analog to OpenBSD's ftp-proxy? This FAQ says pfsense's ftp-proxy is running on localhost:
http://faq.pfsense.org/index.php?action=artikel&cat=10&id=103&artlang=en
But ps -aux and the pfsense GUI seem to indicate that pftpx is bound to each interface. So I think the FAQ entry is outdated?
Similarly, I'm not sure how to re-create:
Let client systems behind FW use dnscache on FW
rdr on LAN-interface proto udp from any to LAN-interface-IP/32 port 53 -> 127.0.0.1 port 53
and port-forwards from the outside to a host in the DMZ:
rdr on WAN-interface proto tcp from any to any port 80 -> IP-in-DMZ port 80
-
1. Enable the FTP helper on the Interfaces -> WAN area.
2. Delete any prior ftp port forwards and port forward rules pertaining to port 21/ftp.
3. Create the nat port forward for 21.This will launch pftpx as needed for port forwards at this point
-
I'm trying to create rules which allow ftp (through the ftp-proxy) outbound from the inside and DMZ LANs.
1. Enable the FTP helper on the Interfaces -> WAN area.
Why run the ftp helper on the WAN interface? Wouldn't you want to run the helper on the inbound interface(s) (if I can't run it on localhost)?
3. Create the nat port forward for 21.
Can you walk me through what that rule would look like:
Is the Interface LAN? Or WAN? Why?
Is the external address any? or Interface addr?
Is the NAT IP the IP where pftpx is running?
Do I set the local port to 8021? -
http://wiki.pfsense.com/wikka.php?wakka=FTPTroubleShooting
-
Thanks, I will check out that URL.
My original question isn't really an FTP question, however. My FTP example was merely an instance of a larger problem: I'm having trouble figuring out how to translate rdr rules from PF into pfsense.
For instance, in translating this rdr rule to pfsense:
rdr on WAN-interface proto tcp from any to any port 80 -> IP-in-DMZ port 8080
What's the "external address"? Is IP-in-DMZ the "NAT IP"? Is the "Local Port" 8080?
And in:
rdr on LAN-interface proto udp from any to LAN-interface-IP/32 port 53 -> 127.0.0.1 port 53
What's the "external address"? Is it LAN-interface-IP/32?
Are there any tutorials that illustrate translating nat, binat, rdr and other PF rules into the pfsense GUI?
-
pfSense operates on the packet incoming to an interface which creates a state.
So think of it as incoming to a interface initially (SYN).