Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Using non-standard ports

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      awsiemieniec
      last edited by

      I have some web servers behind a pfSense.  I'd like to enable:
      SSH, FTP, HTTP, HTTPS, Webmin

      From the outside world I'm going to access these services, with the exception of HTTP, HTTPS, using non-standard ports
      For example pretend I use:
      SSH: 500
      FTP: 600
      Webmin: 700

      When I make the firewall rules am I going to have to create a single rule for each service so that NAT can be done?  Normally I'd alias the ports and group the single aliases into a group alias and then I have one rule per server.  But with these non-standard ports will pfSense know that incoming port 500 gets NAT'd to 22 if the alias group includes 22, 21, 80, 443 and 10000?

      (Maybe this is more of a NAT question?)

      1 Reply Last reply Reply Quote 0
      • V Offline
        viragomann
        last edited by

        In firewall rules you have to use destination ports like the are forwarded to the machines.
        So group this ports like 22, 21, 80, 443, etc. in an alias and use this in the rule to permit the traffic.

        For NAT you will have to add a rule for each single port you want to forward.

        1 Reply Last reply Reply Quote 0
        • DerelictD Offline
          Derelict LAYER 8 Netgate
          last edited by

          I believe if you make two port aliases, one for the outside ports and one for the inside, there is a 1:1 relationship between them.

          So if you were to create dest_ports 22, 21, 8443 and nat_ports 500, 600, 700 and use them accordingly in the port forward rule I think it will do what you're looking for.

          Don't sweat having too many rules though. Clarity and the ability to visualize what's going on when you look at the rule set is more important than reducing the number of rules.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • A Offline
            awsiemieniec
            last edited by

            Thank you both for the assistance.

            At this point I do have one rule for each NAT'd service.  I like the idea what Derelict said.  I'll try it and see if the 1:1 is maintained.  What I didn't know is if pfSense would know that incoming port 500 would be NAT'd to 22 - since the alias would have 21, 22, 10000 as possible options.  I don't really know.  Try and see I guess.

            thank you again.

            I'll post results

            1 Reply Last reply Reply Quote 0
            • DerelictD Offline
              Derelict LAYER 8 Netgate
              last edited by

              I think I had my example above backwards from what you're trying to do (inside and outside swapped).  Usually people want to use nonstandard ports on the outside and standard on the inside.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.