Port Forwarding
is a essential function of firewall, this post shows how to enable port forwarding on pfsense. (Old post republished.)
Overview
The topology of a virtual network that might need port forwarding is shown as below:
Fig.1 network topology
The pfsense router separates the WAN and LAN network:
1. LAN: 192.168.153.0/24, the IP of pfsense on the interface is 192.168.153.1, which functions as the gateway of the LAN; all network traffic of LAN go through the gateway.
2. WAN: 192.168.X.0/24, connects to the Internet; the IP of pfsense on the interface is 192.168.X.131.
There is a linux vm (192.168.153.8) in the LAN, and there is a laptop (192.168.X.85) in the WAN network.
The laptop cannot communicate with the linux vm directly, it need to go through the pfsense. For example, if the laptop wants to connect to the linux server, if it ssh as user@192.168.X.131, it only communicates the 22 port of pfsense, not the vm.
To solve the issue, we can specify a particular port of the firewall IP address, so when we connect to the port, the firewall knows we acctully want to talk to the linux vm, thus it forwords all traffic from the port to the vm.
Configure Port Forwarding
To configure port forwarding on pfsense is straightforward, log into pfsense website, then go to Firewall/NAT/Port Forward, click Add button, a configuration panel will show as below:
Fig.2 port forward part 1
Some explanation:
- Interface: WAN, indicates the port forward listens on which interface. In our case, we would like to communication from the laptop to the linux server, so we choose WAN.
- Protocol: TCP, there is a drop down list to choose which protocol we want to use.
- Source
- Source IP: 192.168.0.0/16, since our WAN network is 192.168.X.0/24, make sure they are in the same range.
- Source port range: we donot specify any particular range.
Fig.2 port forward part 2
- Destination
- Destination IP/Network: should choose the LAN network.
- Destination port range: 20481, we specify by our own, then all traffic with destination 192.168.X.131:20481 will be port forwarding to the target IP.
- Redirect target IP: 192.168.153.8, the vm’s IP
- Redirect target port: SSH, 22 port
- Filter rule association: pfsense will create an associated firewall rule automatically.
After save and apply, then a port forwarding rule with an associated firewall rule are created. if we ssh from WAN network as cmd: user@192.168.X.131 -p 20481, it then can create a ssh channel with the linux vm succesfully.