How to redirect traffic from lan_ip_1:port1 to lan_ip_2:port2?


  • here is my topology:

    
                               |
            ext:20.20.20.20:4000 -> 1.1.1.1:4000
                               |
                             firewall
                               | 
                          int:1.1.1.254
                               |
                             switch
                     +---------+---------+
                     |                   | 
           int:1.1.1.1:4000      int:1.1.1.2:3389
                     |                   |
                  pfsense             server
    
    

    the external firewall had been translate 20.20.20.20:4000 to 1.1.1.1:4000, the problem is, any possible to redirect 1.1.1.1:4000 to 1.1.1.2:3389?

    ps: I don't have authorized to modify external firewall's rules.


  • Destination NAT can parse traffic to one target. If you want to load balance the inbound traffic between 1.1.1.1 and 1.1.1.2, you either insert a load balancer to handle the traffic between the two internal hosts, or you can set up external round-robin DNS with two external IPs bound to the one A record and port forward the two to the respective internal IPs. For example, forward 20.20.20.20:4000 to 1.1.1.1:4000 and 20.20.20.21:4000 to 1.1.1.2:3389. Then create two A records for 'myserver.com' for instance to resolve to both 20.20.20.20 and 20.20.20.21.

    Not sure what you mean by not being authorized to change the external firewall rules. If not you, then who?

    On second reading of your post, you may be suggesting that you want to forward your forwarded traffic directly from 1.1.1.1:4000 to 1.1.1.2:3389. In which case, make 1.1.1.1 a load-balancer and configure it to forward traffic to 1.1.1.2. If I haven't misread your post (and I may have), you may be suggesting that the firewall isn't configurable by you, so you can't change the port-forward rule on it. If that's the case, then this technically isn't a PFsense (or even a firewall) question.


  • @muswellhillbilly:

    you may be suggesting that you want to forward your forwarded traffic directly from 1.1.1.1:4000 to 1.1.1.2:3389.
    you may be suggesting that the firewall isn't configurable by you, so you can't change the port-forward rule on it.

    you are right.
    hmm, so I have to find another solution.


  • I found a solution: ssh tunnel

    I might ssh into pfsense from outside, so on my laptop

    ssh -N -L 1022:server_lan_ip:22 user@pfsense_wan_ip -p 2022

    pfsense_wan_ip is firewall's external ip, this ip's port 2022 was port forward to pfsense_lan_ip port 22

    then, ssh localhost 1022 will do the tricky.