Netgate SG-1000 microFirewall

Author Topic: Port forwarding from external IP to another external IP  (Read 231 times)

0 Members and 1 Guest are viewing this topic.

Offline RonS

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Port forwarding from external IP to another external IP
« on: April 17, 2017, 03:05:14 pm »
Hi,

I'm not sure if this topic should be in Multi WAN or NAV so I'm posting it here..

Hi,

I'm new to PFSense and not sure if this can be done. I have seen some 2+ years old posts related to this topic but no solution is mentioned. Here's my situation.

I have pfsense instance with 1 NIC with let's say Public IP is 1.1.1.1

I have a web server instance that not on local network and hosted somewhere else with public IP 2.2.2.2

VPN is not an option on these IPs. I'm trying to configure pfsense so all traffic arriving on ports (80,443,20,21,22) on IP 1.1.1.1 is forwarded to 2.2.2.2 on the same ports.

I am able to do it with SOCAT utility using the following command

socat TCP-LISTEN:80,fork TCP:2.2.2.2:80

but it's a small utility and no proper deamon/service is available for it. The only other option is IPTable  but I really like pfsense GUI and I can use it for VPN as well.

Can someone please help?

Offline isolatedvirus

  • Jr. Member
  • **
  • Posts: 70
  • Karma: +7/-0
    • View Profile
Re: Port forwarding from external IP to another external IP
« Reply #1 on: April 19, 2017, 10:28:46 am »
PFSense gui would allow this on a port forward. You'lll need to set a rule for EVERY port you wish to forward.

Go to NAT>Port Forward

Set destination IP (1.1.1.1), destination port, redirect target ip (2.2.2.2), redirect target port.

Online johnpoz

  • Hero Member
  • *****
  • Posts: 12043
  • Karma: +1038/-104
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Port forwarding from external IP to another external IP
« Reply #2 on: April 19, 2017, 10:50:22 am »
Why would you not just go to 2.2.2.2 directly.. At a loss to why you would want/need to do something like this?
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- If I have helped you and want to help back, https://www.freebsdfoundation.org/donate/
- Please don't PM me for personal help, info you don't want public sure. Link to thread you would like me to look at ok, etc.
1x SG-2440 2.3.3_p1 (work)
1x 2.4.0-BETA Apr 26 17:54:39 VM running on esxi 6.5 (home)

Offline RonS

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: Port forwarding from external IP to another external IP
« Reply #3 on: April 20, 2017, 06:07:01 pm »
Thanks guys, but I have created NAT and it still does not work. Does this also require other firewall rules or some other specific configuration?

It seems like a simple port forwarding for port 80 but the browser sits there for a while and then displays page can't be displayed like the site can not be loaded. It works when I go direct.

Any suggestions?

Online johnpoz

  • Hero Member
  • *****
  • Posts: 12043
  • Karma: +1038/-104
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Port forwarding from external IP to another external IP
« Reply #4 on: April 21, 2017, 12:23:32 am »
"It works when I go direct."

Which is what you should be doing.. Here is where you have a problem..

Your client is talking to 1.1.1.1 that is where he sent data..  1.1.1.1 sends this data on to 2.2.2.2 but 2.2.2.2 is going to directly answer the sender.. lets call that 3.3.3.3... Why would 3.3.3.3 accept the answer from 2.2.2.2 when he sent data to 1.1.1.1

For your thing to work you would have to not just forward the traffic, you would need to source nat it so that 2.2.2.2 sends data back to 1.1.1.1 which sends it back to 3.3.3.3

In a typical port forward  3.3.3.3 sends to 1.1.1.1 which sends it on to 192.168.1.100, 192.168.1.100 talks back to 3.3.3.3 via 1.1.1.1 so to 3.3.3.3 he is only talking to 1.1.1.1

For your thing to work all traffic would have to go through 1.1.1.1 even the answer from 2.2.2.2

It makes no sense to do what your doing.

If you want users to be redirect to 2.2.2.2 when taking to 1.1.1.1 have 1.1.1.1 on port 80 send them a 301 or 302 in the http request, this tells them hey this site is moved - go talk to the fqdn of what 2.2.2.2 is listening on.  3.3.3.3 would then directly talk to 2.2.2.2
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- If I have helped you and want to help back, https://www.freebsdfoundation.org/donate/
- Please don't PM me for personal help, info you don't want public sure. Link to thread you would like me to look at ok, etc.
1x SG-2440 2.3.3_p1 (work)
1x 2.4.0-BETA Apr 26 17:54:39 VM running on esxi 6.5 (home)

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 7577
  • Karma: +891/-218
    • View Profile
Re: Port forwarding from external IP to another external IP
« Reply #5 on: April 21, 2017, 12:54:10 am »
You could maybe do that using OpenVPN with pfSense on both sides. But as far as a hairpin port forward, no.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help!

Offline isolatedvirus

  • Jr. Member
  • **
  • Posts: 70
  • Karma: +7/-0
    • View Profile
Re: Port forwarding from external IP to another external IP
« Reply #6 on: April 21, 2017, 01:09:58 am »
You could maybe do that using OpenVPN with pfSense on both sides. But as far as a hairpin port forward, no.

I've never seen it done with openvpn, I would definitely enjoy an example, could you PM me the example or post it here if its not too off topic?

As far as hairpinning, you can absolutely do it. I used to hairpin my VPN connecting for an always on VPN setup, but I've recently changed to just doing host overrides in DNS to make it easier.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 7577
  • Karma: +891/-218
    • View Profile
Re: Port forwarding from external IP to another external IP
« Reply #7 on: April 21, 2017, 02:01:19 am »
Trouble is the reply traffic.

You could have an OpenVPN set up between the sites with the remote public IP address as a remote network. Then port forward the outside:port to that address:port.

On the other side you would need to have an assigned interface on the OpenVPN to take advantage ot reply-to so replies would go back through OpenVPN and the states would work.

Chances are the forwarded destination is just a port forward anyway so all this forward this wan to that wan is moot anyway. You just need to forward connections into this WAN over OpenVPN to that LAN. OpenVPN works great there with reply-to.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help!

Offline RonS

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: Port forwarding from external IP to another external IP
« Reply #8 on: April 21, 2017, 06:59:07 am »
Thanks guys,

Just wanted to mention that the reason I'm doing this is to hide the identity of 2.2.2.2 the other IP address on the internet where this site port 80 is hosted.

I would like 1.1.1.1 to be the main IP for some of my domains. Unfortunately, VPN is not an option at the moment.

Is there any better way of doing it other than port forwarding?

I have seen SOCAT linux utility do that before. But it's limited to single port forward on a session. But I have multiple IPs and ports.

Ron

Online johnpoz

  • Hero Member
  • *****
  • Posts: 12043
  • Karma: +1038/-104
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Port forwarding from external IP to another external IP
« Reply #9 on: April 21, 2017, 07:29:05 am »
Wow you have a public IP on the internet, but you want to hide it from the public internet.. Yet still use it to host stuff??

The weirdest tinfoil hat logic I have ever heard ;)
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- If I have helped you and want to help back, https://www.freebsdfoundation.org/donate/
- Please don't PM me for personal help, info you don't want public sure. Link to thread you would like me to look at ok, etc.
1x SG-2440 2.3.3_p1 (work)
1x 2.4.0-BETA Apr 26 17:54:39 VM running on esxi 6.5 (home)

Offline isolatedvirus

  • Jr. Member
  • **
  • Posts: 70
  • Karma: +7/-0
    • View Profile
Re: Port forwarding from external IP to another external IP
« Reply #10 on: April 22, 2017, 05:23:39 pm »
Trouble is the reply traffic.

You could have an OpenVPN set up between the sites with the remote public IP address as a remote network. Then port forward the outside:port to that address:port.

On the other side you would need to have an assigned interface on the OpenVPN to take advantage ot reply-to so replies would go back through OpenVPN and the states would work.

Chances are the forwarded destination is just a port forward anyway so all this forward this wan to that wan is moot anyway. You just need to forward connections into this WAN over OpenVPN to that LAN. OpenVPN works great there with reply-to.

outbound NAT solves the reply traffic issue youre speaking of.

firewall rule: allow inbound port 80 to dest host 2.2.2.2
port forward rule: port forward ANY source going to destination WAN IP destination port 80 to host 2.2.2.2 port 80
outbound NAT: WAN interface, nat source ANY destination 2.2.2.2 to WAN IP.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 7577
  • Karma: +891/-218
    • View Profile
Re: Port forwarding from external IP to another external IP
« Reply #11 on: April 22, 2017, 08:03:48 pm »
Port forwarding in and out the same interface is hokey, at best.

Also lost is the source address of the end user at the destination site.

Might not matter to OP.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help!

Online johnpoz

  • Hero Member
  • *****
  • Posts: 12043
  • Karma: +1038/-104
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Port forwarding from external IP to another external IP
« Reply #12 on: April 23, 2017, 04:36:14 am »
Can you say hairpin, can you say /2 bandwidth, can you say pointless in such a scenario..  Because he wants to hide his public IP?? WTF???

Why not just host what ever he is doing at IP 1.1.1.1?? Use less bandwidth this way.. Clients get better response, No hokey/borked setup and they don't know about IP 2.2.2.2 ;) which seems is the goal.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- If I have helped you and want to help back, https://www.freebsdfoundation.org/donate/
- Please don't PM me for personal help, info you don't want public sure. Link to thread you would like me to look at ok, etc.
1x SG-2440 2.3.3_p1 (work)
1x 2.4.0-BETA Apr 26 17:54:39 VM running on esxi 6.5 (home)

Offline isolatedvirus

  • Jr. Member
  • **
  • Posts: 70
  • Karma: +7/-0
    • View Profile
Re: Port forwarding from external IP to another external IP
« Reply #13 on: April 23, 2017, 11:25:05 pm »
Update:

This has been solved and can be closed.

Can you say hairpin, can you say /2 bandwidth, can you say pointless in such a scenario..  Because he wants to hide his public IP?? WTF???

Why not just host what ever he is doing at IP 1.1.1.1?? Use less bandwidth this way.. Clients get better response, No hokey/borked setup and they don't know about IP 2.2.2.2 ;) which seems is the goal.

Yes, this would be a hairpin. It would half the throughput, but the load on said link is negligible. I really don't feel like arguing semantics, so im just going to leave it at hairpinning works just fine in pfsense.

He's unable to host locally, and the ultimate goal was to allow web servers to be dynamically provisioned and accessed without requiring constant DNS changes.

While it's *possible* to nat the traffic, there were other constraints that would not be met doing this method. The answer was setting up a reverse proxy, which also adds the benefit of acting as an accelerator.