Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Www port redirection

    NAT
    4
    7
    2.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      djnrg787
      last edited by

      I have a few servers on my network that im trying to hide the web port way out there on some random port, for example 30123, and when i try to forward port 30123 external to internal port 80 it will do exactly that but at the same time also forward port 80 to 80… The first rule i made for the first server works just fine like it should but all others arent working. Each server has its own external ip with 1:1 nat setup and working. regular port forwards also work normally i.e. 21>21 works fine.

      1 Reply Last reply Reply Quote 0
      • P
        podilarius
        last edited by

        since you have 1:1, you only need to create a port forward from 30123 to port 80. The 1:1 will handle regular port 80. If you are trying to hide port 80, then what is the point of leaving the normal port 80 re-direct? It is not very hidden that way.

        1 Reply Last reply Reply Quote 0
        • D
          djnrg787
          last edited by

          Thats what i did but for some reason its forwarding to the regular 80 also even though i didnt add that in. what i did was port30123external>80internal. however what is happening is its doing 30123,80external>80internal.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            Well you said you have a 1:1 NAT - so yeah if the firewall has the port open, it would be sent through would it not.

            "Each server has its own external ip with 1:1 nat setup"

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 0
            • D
              djnrg787
              last edited by

              Im not super clear on how 1:1 nat works but i know i need to use it for each server to send the traffic out the right ip. so whats the easiest way to port forward then? what confuses me is the first one i setup works fine setup the same way.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                What part is confusing about 1:1??  Its a 1:1

                http://doc.pfsense.org/index.php/1:1_NAT
                1:1 NAT, aka one-to-one NAT or binat, binds a specific internal address (or subnet) to a specific external address (or subnet). Incoming traffic from the Internet to the specified IP will be directed toward the associated internal IP. Outgoing traffic to the Internet from the specified internal IP will originate from the associated external IP.

                To allow traffic in from the Internet, you must add a firewall rule on the associated WAN interface allowing the desired traffic, using the destination IP of the internal private IP.

                If you want your http server to serve traffic on 30123, then have it listen on that port and allow that port on the firewall - there you go done.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  You can't effectively do what you're trying to do, because of the way pf works.

                  NAT happens before filtering, so the 1:1 for port 80 and the port forward for 30123 look identical to the firewall rules, so they are both allowed.

                  The correct thing to do in this case would be, as johnpoz said, to make the service bind to port 30123 and not rely on a NAT redirect.

                  Either that, or ditch the 1:1 NAT and just use port forwards.

                  Actually I take that back - there may be another way:
                  Add a port forward for 80->80 like you have for 30123->80, but on the 80->80 rule, check "No RDR (NOT)".

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.