Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Forward range of ports to a single port

    Scheduled Pinned Locked Moved NAT
    12 Posts 5 Posters 3.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mellowinottawa
      last edited by

      Hi,

      I'm trying to setup two OpenVPN server's that will listen on my WAN interface, one on UDP 1194, the other on TCP 1194.  Ideally I'd then create two forwarding rules, one for UDP and one for TCP, that forward a large range of ports (essentially 1-65535) to a single port (1194), thereby having the OpenVPN server essentially listening on all ports.  This is quite easy to do using iptables in Linux but I can't recreate it within pfSense's GUI, which only seems to allow 1:1 mapping of a range of ports to a range of ports.  Am I missing something?

      This is to ensure that if I'm out on the road, hotel, cafe wifi, etc. that I have as many options as possible to get around restrictive outbound firewalling.

      Thanks!

      Colin

      1 Reply Last reply Reply Quote 0
      • K
        kejianshi
        last edited by

        Just set them up on 80, 443 and one other port not usually associated with VPN or proxy but above the service ports.  If those are closed to you, they will all be closed.

        1 Reply Last reply Reply Quote 0
        • K
          kathampy
          last edited by

          He's right. 443 and 53 are your best bets. Most firewalls don't attempt protocol enforcement on port 443 so you should be able to make socket connections with non-SSL protocols. Just forward those few ports, one in each rule. I personally forward to localhost:1194 and not the interface address (I presume it goes through one less layer then).

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            You can't do that in one simple/easy pf rule. If you forward a range the target range must be of identical size. So if you forward 100-200 to target:500, that means it would really go from 500-600. There isn't a way around that except to do individual rules.

            Port sharing tcp/443 with a live HTTPS server would probably work, and udp/53 works from more places than you'd think (and sometimes can even bypass captive portals)

            So if you use a few strategic ports you won't need to forward a whole range.

            Some suggestions:
            tcp: 53, 80, 443, 8080, 21, 22, 113, 143
            udp: 53, 443 (some people use "tcp/udp" on rules that they shouldn't!), 123, 161, 514

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • M
              mellowinottawa
              last edited by

              Thanks for the responses everyone, I'll go with the suggested ports!

              1 Reply Last reply Reply Quote 0
              • K
                kejianshi
                last edited by

                Well - Its good to know we can think like thieves when we need to.

                1 Reply Last reply Reply Quote 0
                • K
                  kejianshi
                  last edited by

                  Wouldn’t it be nice if you could specify a list of comma seperated ports when doing the wizard set-up, have all the ports auto open and end up with something like this auto dumped into the client config…. And have it try each in order exhaustively.  But that would take all the fun out of setup I guess.
                  Of course a single server would only listen on one port and the others would be redirects.

                  remote mysite.net 53 udp
                  remote mysite.net 443 udp
                  remote mysite.net 123 udp
                  remote mysite.net 161 udp
                  remote mysite.net 514 udp
                  remote mysite.net 1194 udp
                  remote mysite.net 53 tcp
                  remote mysite.net 80 tcp
                  remote mysite.net 443 tcp
                  remote mysite.net 8080 tcp
                  remote mysite.net 21 tcp
                  remote mysite.net 22 tcp
                  remote mysite.net 143 tcp

                  1 Reply Last reply Reply Quote 0
                  • M
                    mellowinottawa
                    last edited by

                    Could try using the remote-random option I guess?  Not in order but a good way to sit back and let it figure out what is open for you.  Might also want to use –connect-retry to lower how long it waits in between connection attempts.

                    1 Reply Last reply Reply Quote 0
                    • K
                      kejianshi
                      last edited by

                      Yeah - I know I can put it into the config myself.  I bet it will eventually show up in pfsense as an automatic option.

                      1 Reply Last reply Reply Quote 0
                      • N
                        Nucleus
                        last edited by

                        @jimp:

                        Some suggestions:
                        tcp: 53, 80, 443, 8080, 21, 22, 113, 143
                        udp: 53, 443 (some people use "tcp/udp" on rules that they shouldn't!), 123, 161, 514

                        I have OpenVPN servers on TCP & UDP 443 with a single firewall rule on the WAN to pass this traffic to the WAN interface - IPv4 TCP/UDP port 443.
                        Is that bad for some reason?

                        1 Reply Last reply Reply Quote 0
                        • jimpJ
                          jimp Rebel Alliance Developer Netgate
                          last edited by

                          No, that's fine if it's intentional. I was referring to using ports to "break out" of someone else's network.

                          Say you're at a Hotel or Coffee shop that has strict outbound policies that would deny access to all but port 80 and 443 and maybe DNS. If they accidentally use TCP/UDP on their 80 and 443 rules you could sneak out of their network by using OpenVPN on UDP port 443.

                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                          Need help fast? Netgate Global Support!

                          Do not Chat/PM for help!

                          1 Reply Last reply Reply Quote 0
                          • N
                            Nucleus
                            last edited by

                            Got it… Sorry, I misinterpreted what you were getting at.
                            That's why I run both as UDP is preferred, but you have that fallback  ;)

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.