Help translate iptables to pfsense



  • I have some iptables that I made about a year ago for another router.  My company is switching to pfsense and I am not sure how to do what I am doing with the scripts in pfsense.  Here is my scripts,

    /usr/sbin/iptables -t nat -I PREROUTING -d [WAN IP 1] -p tcp –dport 8081:8099 -j DNAT --to-destination 192.168.1.46
    /usr/sbin/iptables -t nat -I PREROUTING -d [WAN IP 1] -p udp –dport 8081:8099 -j DNAT --to-destination 192.168.1.46
    /usr/sbin/iptables -t nat -I POSTROUTING -s 192.168.1.46 -p tcp --dport 8081:8099 -j SNAT --to-source [WAN IP 1]
    /usr/sbin/iptables -t nat -I POSTROUTING -s 192.168.1.46 -p udp –dport 8081:8099 -j SNAT --to-source [WAN IP1]
    /usr/sbin/iptables -I FORWARD -d 192.168.1.46 -p tcp –dport 8081:8099 -j ACCEPT
    /usr/sbin/iptables -I FORWARD -d 192.168.1.46 -p udp --dport 8081:8099 -j ACCEPT

    /usr/sbin/iptables -t nat -I PREROUTING -d [WAN IP 2] -p tcp –dport 8081:8099 -j DNAT --to-destination 192.168.1.11
    /usr/sbin/iptables -t nat -I PREROUTING -d [WAN IP 2] -p udp –dport 8081:8099 -j DNAT --to-destination 192.168.1.11
    /usr/sbin/iptables -t nat -I POSTROUTING -s 192.168.1.11 -p tcp --dport 8081:8099 -j SNAT --to-source [WAN IP 2]
    /usr/sbin/iptables -t nat -I POSTROUTING -s 192.168.1.11 -p udp –dport 8081:8099 -j SNAT --to-source [WAN IP 2]
    /usr/sbin/iptables -I FORWARD -d 192.168.1.11 -p tcp –dport 8081:8099 -j ACCEPT
    /usr/sbin/iptables -I FORWARD -d 192.168.1.11 -p udp --dport 8081:8099 -j ACCEPT

    any help will be appreciated





  • Thanks, trying it now, will let you know how i make out



  • Im not getting very far with fwbuilder.  Im still open to any other suggestions.  Going to keep trying to work with fwbuilder.



  • I'm no iptables guy, but this looks like a simple port forward for the LAN IPs 192.168.1.46 & 192.168.1.11 for ports 8081-8099.



  • What its doing is taking any traffic from .46 on a specific port and redirecting it to a second wan ip and taking traffic from that 2nd wan ip to .46. (pre+post routing)  so its using outbound and inbound fowarding.  I have the virtual ip set in pfsense for the 2nd wan ip.  and I set the forward and outbound rules in pfsense and its not working.  Not sure what I am missing  All other traffic on .46 goes through are primary wan ip.



  • What its doing is taking any traffic from .46 on a specific port and redirecting it to a second wan ip and taking traffic from that 2nd wan ip to .46.

    Also known as a port-forward.

    Post shots of your firewall rules and NAT rules.



  • These are quite simply two very basic port-forward rules running on two external NICs to two internal servers. The target ports are 8081 to 8099 on both TCP and UDP. So just create two port forward rules for one of each of your external NICs naming that port range across both TCP and UDP, one fowarding from external NIC 1 to 192.168.1.46 and NIC 2 to 192.168.1.11. That should do it. You can ignore the POSTROUTING entries as the pfSense will know to forward replies back once the port forward rules are set up.

    This video shows the basics of port forwarding. Just amend this to point to the ports you want and the protocols as well as the internal target servers. https://www.youtube.com/watch?v=28dmUzOGI50



  • Its simple port forwarding with the not so simple Virtual IP.  It's not two nics.  we have a /29 namespace given us 4 outside ip's.  I already declared wan ip 2 as a virtual ip.  I already have the "simple" port-forwarding rules in, I will try to remove the outbound rules and see if it works but i doubt it will.  Any other suggestions appreciated.



  • @smyers119:

    Its simple port forwarding with the not so simple Virtual IP.  It's not two nics.

    From a rules perspective, just treat the VIPs you've set up as separate NICs - makes no difference to the rules.

    As was suggested three posts ago, you might try posting a screenshot of your firewall rules and NAT rules. Otherwise any suggestions you get from this point are just guesswork.