Need some help for doing tricky things with nat

  • Hello pfSense users. I need some help to cover the following problem, because of being not really firm with NAT:

    We need to use the fi5000 netbox for connecting the fi6140 scanner to the network. I know there are a lot af network scanners available now, but exact this way is certified for our archiving solution. In the past we had 40 individual virtual Win7 PC's, one for each user. Now we are going to be 80 users, that's why we want to use a terminal server insteed of these individual VM's. The problem is, on the fi5000 netbox I can only configure an individual IP address for each User, the port ist only configurable globaly for the whole box.

    On the dest. PC's there is a trigger app running and listening for connects from the fi5000. So after logging in to the fi5000 by scanning the finger print, the fi5000 connects to the trigger app running on the IP configured for the owner of the finger print. the trigger app then starts the scan app. this scan app connects it's scan driver back to the fi5000 box and starts the scan.

    Scanner –----USB------ fi5000 ------LAN------ pfSense1 ------OpenVPN------ pfSense2 ------LAN------ Terminal Server
                                    (          (                  (                (
                                      (Port 10002)                                                                                                          (Port 10020)
                                                                                                                                                                      (Port 10010)

    Config on fi5000:
    User: admin Dest.IP: (dummy IP) Port: 10002 (Port not configurable)
    User: user         Dest.IP: (dummy IP) Port: 10002 (Port not configurable)

    Config on Terminal Server:
    User: admin Trigger App is running on Port: 10020
    User: user         Trigger App is running on Port: 10010

    Config on pfSense1:
    Port Forward NAT:
    IF Proto Src.po. Dest.addr                 Dest.p. NAT IP NAT Po. Desciption
    LAN TCP/UDP *         * 10002 10020 Scanner-120
    LAN TCP/UDP *         * 10002 10010 Scanner-110

    That works fine for the trigger app .. if i login as admin on the fi5000 it finds the trigger app running on terminal server as user admin.

    but if I press the scan button, the trigger app starts the scan app and this app trys to connect back to the fi5000 on IP:, Port: 10020, (port like configured in the trigger app), and can't connect.

    two reasons I can see:  - the fi5000 is only listening on port 10002
                              - the fi5000 assumes an incomming connection from port 10002

    so i think, for the way back from terminal server to the fi5000 i need rules that do the following for all traffic from source: interface OpenVPN to dest.IP:

    for user admin:

    • redirect dest.port from 10020 to 10002
    • rewrite the source IP from to
    • rewrite the source port from 10020 to 10002

    for user test:

    • redirect dest.port from 10010 to 10002
    • rewrite the source IP from to
    • rewrite the source port from 10010 to 10002

    is there anybody out there who can help me with these rules?

    many thanks, i apologize for having nearly no clue with NAT.

    cheers, sven