Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [Solved] Port forward to a different port number

    Scheduled Pinned Locked Moved NAT
    5 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      icsaki
      last edited by

      I'm trying to use NAT to forward an external port X (e.g. 8080) on WAN to a server on the LAN on port Y (e.g. 80). I followed the steps on doc.pfsense.org and I use the add firewall rule automatically.
      This seems to work only if ports X and Y are the same. If I add a different port number to the "Redirect target port" on the NAT page it does not work. I'm on 2.1.

      For example, the values on the NAT page are:
      Interface: WAN
      Protocol: TCP
      Destination: WAN address
      Destination port range: 8080
      Redirect target IP: 192.168.0.100
      Redirect target port: HTTP (80)
      NAT reflection: use system default
      Add associated filter rule

      The filter rule is:
      Action: Pass
      Interface: WAN
      Source: any
      Destination: 192.168.0.100
      Destination port range: HTTP

      How can I make this work with different ports?

      Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        I just put a somewhat "random" port forward into my home system and got this in /tmp/rules.debug

        # NAT Inbound Redirects
rdr on vr1 proto tcp from any to 10.49.175.1 port 4350 -> 10.49.160.42 port 4200

        It looks like a reasonable pf redirect from port 4350 to port 4200.
        What is in this section of your /tmp/rules.debug?

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • I
          icsaki
          last edited by

          Thanks for the reply, Phil.

          I have the following in the:

          NAT Inbound Redirects

          –-snip
          rdr on em1 proto tcp from any to xxx.xxx.xxx.xxx port 8080 -> 192.168.0.100 port 80
          ---snip

          where xxx.xxx.xxx.xxx is the WAN IP I masked. It looks good to me, too.

          Is it the auto-added firewall rule, then?

          1 Reply Last reply Reply Quote 0
          • P
            phil.davis
            last edited by

            My auto-added rule looked OK. The rule should be to permit the IP and port after NATranslation, because NAT happens first, then the firewall rules are processed. For you, there should be a rule to permit 192.168.0.100 port 80.
            One tricky point is that the rule is added to the end of the existing rules. So if you have some combination of pass and block rules already on WAN, then the auto pass rule at the end may not be effective (an earlier wide-ranging block rule might stop the traffic first. If so, then move the auto rule up to/near the top.

            As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
            If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

            1 Reply Last reply Reply Quote 0
            • I
              icsaki
              last edited by

              Thanks, Phil, that was it. The rule was added to the bottom and an earlier rule blocked the traffic.
              Easy. Thanks for your help.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.