Virtual IP routing from an internet IP range to a LAN server over port 22 ?

  • I have 5 fixed IP's on one of my WANS (OPT) setup using virtual IP's in pfsense RC3.

    I need to allow connection through one of my fixed virtual IP's using SSH (port 22).
    I want to restrict access to their IP range and forward the ssh port through to a specific server LAN IP.

    I know I can create a NAT rule to do most of this but it doesn't restrict who can connect from the internet.

    Can someone please let me know how to setup a rule to do this, or point me to relevant documentation?


  • Change the to the NAT-entry corresponding autocreated firewall rule to only accept as source your specified IP's (best to use an Alias for this)

  • Thanks for that GruensFroeschli.

    I think the relationship between the two rule types was throwing me, now it all makes sense!

    Just one more question!

    The firewall rule created by nat does not have a source port set but does have a destination port set.
    Is this a bug OR is there a reason I shouldn't set the source port?


  • The source would be the port from which the connection is initiated.
    "Normally" this is a random port above 1024.
    So if you'd have as source a limitation to certain ports almost all clients wont be able to connect.

    If you need more information search the net for the basics on how x/IP connections work.

Log in to reply