Using non-standard ports



  • I have some web servers behind a pfSense.  I'd like to enable:
    SSH, FTP, HTTP, HTTPS, Webmin

    From the outside world I'm going to access these services, with the exception of HTTP, HTTPS, using non-standard ports
    For example pretend I use:
    SSH: 500
    FTP: 600
    Webmin: 700

    When I make the firewall rules am I going to have to create a single rule for each service so that NAT can be done?  Normally I'd alias the ports and group the single aliases into a group alias and then I have one rule per server.  But with these non-standard ports will pfSense know that incoming port 500 gets NAT'd to 22 if the alias group includes 22, 21, 80, 443 and 10000?

    (Maybe this is more of a NAT question?)



  • In firewall rules you have to use destination ports like the are forwarded to the machines.
    So group this ports like 22, 21, 80, 443, etc. in an alias and use this in the rule to permit the traffic.

    For NAT you will have to add a rule for each single port you want to forward.


  • LAYER 8 Netgate

    I believe if you make two port aliases, one for the outside ports and one for the inside, there is a 1:1 relationship between them.

    So if you were to create dest_ports 22, 21, 8443 and nat_ports 500, 600, 700 and use them accordingly in the port forward rule I think it will do what you're looking for.

    Don't sweat having too many rules though. Clarity and the ability to visualize what's going on when you look at the rule set is more important than reducing the number of rules.



  • Thank you both for the assistance.

    At this point I do have one rule for each NAT'd service.  I like the idea what Derelict said.  I'll try it and see if the 1:1 is maintained.  What I didn't know is if pfSense would know that incoming port 500 would be NAT'd to 22 - since the alias would have 21, 22, 10000 as possible options.  I don't really know.  Try and see I guess.

    thank you again.

    I'll post results


  • LAYER 8 Netgate

    I think I had my example above backwards from what you're trying to do (inside and outside swapped).  Usually people want to use nonstandard ports on the outside and standard on the inside.


Log in to reply