Port forward - possible this?



  • Hi
    Possible with port-forward make "different forwarding's" depending on client IP address with using one and the same port ?
    Example
    <inet client="" ip1="" group="">– > pfsense:3389--> <lan server1:3389=""><inet client="" ip2="" group="">-- > pfsense:3389--> <lan server2:3389="">...
    Thanks</lan></pfsense:3389></inet></lan></pfsense:3389></inet>



  • yes, you can, and it possible is basic, you can add port forward defference public IP with defference private IP is same port..



  • @Sopon:

    yes, you can, and it possible is basic, you can add port forward defference public IP with defference private IP is same port..

    If possible, how configure this from Gui?



  • 1. goto menu Firewall –- > Virtual IP --- > Create Virtual Server
    2. goto menu Firewall ----> NAT ---- > Port Forward ---- > Create NAT with Virtual IP Server and check "Auto-add a firewall rule to permit traffic through this NAT rule"



  • Ok
    Virtual Server = Type  [Proxy ARP,  CARP,  Other]
    What type used with PortForward? (not CARP of couse)
    And what IP i must defined for Virtual IP (my second public ip? But if provider give only one public IP - what so?)?



  • Virtual Server = Type = Proxy ARP or other

    sorry : if you have one public at default wan interface in this case don't need to add Virtual Server, you can add port forward directly to once private server IP at port 3389. it basic concept of TCP.

    goodluck..



  • if you need access from public with one IP to two server with port 3389, once of server you can change port form 3389 to xxxx and config NAT at defference port.

    http://support.microsoft.com/kb/306759

    Please to read ..



  • Thanks, i know this way.
    But question about:
    pf rules can be
    rdr pass on $ext_if proto tcp from <pop_users1>to $external_addr port 110 -> 192.168.0.3
    rdr pass on $ext_if proto tcp from <pop_users2>to $external_addr port 110 -> 192.168.0.4
    Possible use this from GUI/PortForward, or this option not relised in pfSense?</pop_users2></pop_users1>



  • Sourcebased NAT is not possible with the gui.



  • @hoba:

    Sourcebased NAT is not possible with the gui.

    Thanks all for information  ::)
    Sorry for my english.
    ps May be in future this will added  ;)



  • if you need to balancing user with application at once port of TCP/IP and defference IP Address of server, that solution is on server such as ms Excange server it can. i think on the all firewall can't.



  • @Sopon:

    if you need to balancing user with application at once port of TCP/IP and defference IP Address of server, that solution is on server such as ms Excange server it can. i think on the all firewall can't.

    Thanks - i posting only example.
    Exists task - for RDP(3389). Now used different ext ports (3389,3390,3391…) for each Term server.
    I viewing in 'rdr' rules any option at 'src' position and  raised the issue of a single port for all.
    Thanks



  • It might not be appropriate to revive this thread but we're trying to do something very similar, except instead of being IP based, we would like to be able to do policy NAT'ing of RDP sessions (port 3389) based on the initial client session request as the intended server's hostname is transmitted in the clear during the initial handshake.  Anybody know if this sort of deep-packet-inspection-based NAT'ing is even possible on the pfSense right now?



  • I almost certainly know that this is not possible on pfSense right now, and i wonder if there is an NAT-router at all that can do something like that.

    But if you already have multiple names, shouldnt you be able to distinguish them by this name(IP?), and just make some destination-based rule decisions?



  • But if you already have multiple names, shouldnt you be able to distinguish them by this name(IP?), and just make some destination-based rule decisions?

    Yep, the trick is ascertaining the hostname that the client is requesting.  (We can't turn the problem around and do it based on the client IP as these people travel).  If it were simple HTTP then we could use the inbound load-balancer (I think) but since it's direct RDP we're trying to extract the same data from the RDP session instead.


Locked