Forward pot 80 to 8080 on the same lan



  • I am looking for help on doing a port redirect for any traffic on my Lan interface going to port 80 to a different box running dansguardian. I am running PFSENSE 2.2.4 I have a Lan and Wan interface. The history is the firewall/filter solution we were using is obsolete. I have replaced that unit with this PFSense box, but dansguardian was not working, it kept going up and down. So I have a separate linix machine that is running dansguardian on the same Lan as the PFSense box. I have set a redirect saying anything on the Lan net going out to port 80 is to go through the filter machine on port 8080. It does redirect the traffic, but the filter machine is not seeing the ip from the Lan net the traffic is coming from, it sees the Lan address from PFSense, and due to that it is blocking Web access. Is what I am looking to do possible?
    Here is the senerio I am looking at. Lan subnet is 192.168.1.0/21
    Lan address 192.168.1.1
    Protection forward says if Lan, source !192.168.1.2, destination any, destroyed port 80 redirect address
    192.168.1.2, redirect port 8080

    Is there a way to get the forward to use the client ip instead of the interface ip?


  • Banned

    No, because that traffic to a different machine on LAN will not hit the firewall at all, so the end result is exactly what you described.



  • Would this be possible through a vlan? Or even putting the filter in the public WAN?



  • Your best bet is to set your cilents' browsers to use the Linux proxy. You can either do this explicitly, entering the proxy server address in the network settings on the browser, or by using a proxy PAC file and setting your clients' browsers to refer to that.


  • LAYER 8 Global Moderator

    ^ exactly or use of autodiscovery like wpad if your clients support that..  Its much better to do explicit pointing to your proxy then redirect from the gateway to the proxy just for the proxy to send the traffic back to the gateway.. That is a horrific hairpin setup..


Log in to reply