4. [Solved] Port forward to a different port number

[Solved] Port forward to a different port number

  • I

    I'm trying to use NAT to forward an external port X (e.g. 8080) on WAN to a server on the LAN on port Y (e.g. 80). I followed the steps on doc.pfsense.org and I use the add firewall rule automatically.
    This seems to work only if ports X and Y are the same. If I add a different port number to the "Redirect target port" on the NAT page it does not work. I'm on 2.1.

    For example, the values on the NAT page are:
    Interface: WAN
    Protocol: TCP
    Destination: WAN address
    Destination port range: 8080
    Redirect target IP: 192.168.0.100
    Redirect target port: HTTP (80)
    NAT reflection: use system default
    Add associated filter rule

    The filter rule is:
    Action: Pass
    Interface: WAN
    Source: any
    Destination: 192.168.0.100
    Destination port range: HTTP

    How can I make this work with different ports?

    Thanks in advance.

    0
  • P

    I just put a somewhat "random" port forward into my home system and got this in /tmp/rules.debug

    # NAT Inbound Redirects
rdr on vr1 proto tcp from any to 10.49.175.1 port 4350 -> 10.49.160.42 port 4200

    It looks like a reasonable pf redirect from port 4350 to port 4200.
    What is in this section of your /tmp/rules.debug?

    0
  • I

    Thanks for the reply, Phil.

    I have the following in the:

    NAT Inbound Redirects

    –-snip
    rdr on em1 proto tcp from any to xxx.xxx.xxx.xxx port 8080 -> 192.168.0.100 port 80
    ---snip

    where xxx.xxx.xxx.xxx is the WAN IP I masked. It looks good to me, too.

    Is it the auto-added firewall rule, then?

    0
  • P

    My auto-added rule looked OK. The rule should be to permit the IP and port after NATranslation, because NAT happens first, then the firewall rules are processed. For you, there should be a rule to permit 192.168.0.100 port 80.
    One tricky point is that the rule is added to the end of the existing rules. So if you have some combination of pass and block rules already on WAN, then the auto pass rule at the end may not be effective (an earlier wide-ranging block rule might stop the traffic first. If so, then move the auto rule up to/near the top.

    0
  • I

    Thanks, Phil, that was it. The rule was added to the bottom and an earlier rule blocked the traffic.
    Easy. Thanks for your help.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy