Www port redirection
I have a few servers on my network that im trying to hide the web port way out there on some random port, for example 30123, and when i try to forward port 30123 external to internal port 80 it will do exactly that but at the same time also forward port 80 to 80… The first rule i made for the first server works just fine like it should but all others arent working. Each server has its own external ip with 1:1 nat setup and working. regular port forwards also work normally i.e. 21>21 works fine.
since you have 1:1, you only need to create a port forward from 30123 to port 80. The 1:1 will handle regular port 80. If you are trying to hide port 80, then what is the point of leaving the normal port 80 re-direct? It is not very hidden that way.
Thats what i did but for some reason its forwarding to the regular 80 also even though i didnt add that in. what i did was port30123external>80internal. however what is happening is its doing 30123,80external>80internal.
Well you said you have a 1:1 NAT - so yeah if the firewall has the port open, it would be sent through would it not.
"Each server has its own external ip with 1:1 nat setup"
Im not super clear on how 1:1 nat works but i know i need to use it for each server to send the traffic out the right ip. so whats the easiest way to port forward then? what confuses me is the first one i setup works fine setup the same way.
What part is confusing about 1:1?? Its a 1:1
1:1 NAT, aka one-to-one NAT or binat, binds a specific internal address (or subnet) to a specific external address (or subnet). Incoming traffic from the Internet to the specified IP will be directed toward the associated internal IP. Outgoing traffic to the Internet from the specified internal IP will originate from the associated external IP.
To allow traffic in from the Internet, you must add a firewall rule on the associated WAN interface allowing the desired traffic, using the destination IP of the internal private IP.
If you want your http server to serve traffic on 30123, then have it listen on that port and allow that port on the firewall - there you go done.
You can't effectively do what you're trying to do, because of the way pf works.
NAT happens before filtering, so the 1:1 for port 80 and the port forward for 30123 look identical to the firewall rules, so they are both allowed.
The correct thing to do in this case would be, as johnpoz said, to make the service bind to port 30123 and not rely on a NAT redirect.
Either that, or ditch the 1:1 NAT and just use port forwards.
Actually I take that back - there may be another way:
Add a port forward for 80->80 like you have for 30123->80, but on the 80->80 rule, check "No RDR (NOT)".