Port forwarding is one of the features that is useful if you wanted to allow the external users to specific ports on the LAN side or inside the network. And many people get confused when it comes to the port forwarding configuration on the firewall.
In this blog, we are going to configure the port forwarding feature using the pfSense firewall step by step. As you know the pfSense firewall is an open-source firewall that you can spin up in an organization with a tighter budget. I have covered some blogs related to pfSense previously you may check them out if you are not familiar with the pfSense firewall and how to get started.
We will test the port forwarding with RDP, HTTP, and HTTPS traffic and see how each protocol behaves. And the same steps performed here are exactly identical to other protocols such as SSH, FTP, SFTP, and so on.
Does PfSense port forwarding work from WAN to LAN?
The port forwarding is mainly used on the WAN side of the firewall. As the WAN side is the outside interface of the firewall which is also an untrusted zone. So, the best way if you wanted to let anyone in is by using the port forwarding method. And like any commercial firewall, the PfSense port forwarding from WAN to LAN works great.
One of the use cases is, you have an external user who wanted to access an RDP server that is located internally on your network. Usually, if the server has an IP address that is private how do you let the user in?
The only interface that internet users can hit is on the outside interface of the firewall, which is again blocked by the pfSense firewall. So you can create a port forwarding policy with which you can specify as below on the pfSense firewall.
- Anyone coming with a specific internet source IP (You specify the IP, for eg :184.108.40.206).
- Trying to reach outside interface on the firewall using port 3389.
- Send to the internal RDP server on a private range on port 3389.
Sometimes, you might have a web server that is listening on port 9898, so how do you make the users access the site from the internet?
They have to type https://220.127.116.11:9898, with port forwarding, you could accept the connection from either port 80 for HTTP or 443 for HTTPS and redirect them to port 9898.
So from the end-users perspective, they can open the browser and simply type http://18.104.22.168 or https://22.214.171.124.
As soon as you type HTTP, or HTTPS the browser will detect it is port 80 and 443 respectively. so users don’t have to worry about what the port inside is listening to.
The risk of port fowarding.
It is common to allow source IP ‘any’ for web traffic, so anyone on the internet should be able to access your website.
For the management protocols, such as RDP and SSH, you should never put ‘any’ on the source IP, if you do that you are exposing the firewall to the internet, and anyone on the internet with ports 3389 and 22 should be able to get in.
You can even tighten the security by choosing a different source port number rather than the default one, we will cover that as well in the lab.
For management traffic, it is recommended to use pfsense OpenVPN to access internal resources.
If you don’t understand the concept, don’t worry we are going to cover that in more detail with a lab.
How To Configure IPsec VPN Between pfSense And Cisco Router?
How To Configure OpenVPN On PfSense?
How To Fix USB Ethernet Not Recognized By pfSense?
How To Install Pfsense On KVM?
How To Configure IPsec Site To Site Tunnel In PfSense?
Pfsense port forwarding topology.
Below is the topology that we are going to use.
We have a pfSense firewall configured and on the LAN side of the firewall we have two web servers one with HTTP and another with HTTPS, and also an RDP server. To access the pfSense GUI, and to also test the port connectivity on the LAN side, I have added a Ubuntu machine on the LAN side.
The Pfsense firewall is also configured and connected on the WAN side with the internet. And three external users who are on the internet, we need to allow access to the services. We can configure the Pfsense port forwarding to accomplish this.
Steps to configure Pfsense port forwarding.
- Verify the Port connectivity on the LAN side.
- Verify the Port connectivity from the external side.
- How to configure pfSense port forwarding for HTTP traffic?
- How to configure Pfsense port forwarding for HTTPS traffic?
- How to allow external users to RDP server using pfsense port forwarding?
- Test the RDP connectivity.
- How to configure port forwarding with multiple IP addresses?
- Configure Pfsense port forwarding using pfSense Alias.
- Pfsense port forwarding for multiple ports using pfSense Alias.
- Pfsense RDP port forward with a different destination port.
Verify the Port connectivity on the LAN side.
I am using two web servers one with HTTP service and the other with HTTPS. Let’s check the connectivity to the webservers from one of the Ubuntu LAN hosts (10.1.1.11)
As you can see I can access the http server 10.1.1.80, let also check the https access.
Even the https server 10.1.1.43 also working fine.
You can also test the port connectivity using the telnet command as well.
You can type the command
telnet <IP address> <port number> to see whether a specific port is open or not.
As you can see from above, I can connect both the HTTP and HTTPS server on the LAN side just fine, how about the RDP server? So let’s find out.
You can use the same method and check the port status, and you can also use the RDP client on the Ubuntu machine to access the windows RDP server.
The telnet shows the port is open, which is good.
As you can see the RDP access also working fine.
Verify the Port connectivity from the external side.
Let’s do the same test from the external users, by default it will not work as the pfSense will block any traffic that is initiated from the outside. Moreover, you need to remember that from the internet you will not be able to access the private IP address on the pfSense LAN side, so remember I said we would configure the port forwarding on the WAN side?
So instead of testing with the private IP address on the remote internet user, we are going to test using the wan side IP of the pfSense which is 126.96.36.199.
As you can see, none of the ports are open on the firewall WAN side, and keeps trying until I stopped the session manually.
Let’s see the logs (status>system logs>firewall ) on the firewall, and see if we are getting any logs for the same.
As you can see below, there are multiple attempts from the outside user however it was blocked by the firewall.
Using pfSense port forwarding we are going to allow external users who are on the internet to be able to access there internal network services.
In this lab, we are going to perform the following,
- First, we will allow HTTP traffic from the remote to our internal network.
- Second, we will enable HTTPS traffic.
- And finally, RDP to our internal windows server.
We are going to configure a single remote user to be able to access the network, later I can show you how you can allow multiple outside users to the same ports using something called pfSense alias.
How to configure pfSense port forwarding for HTTP traffic?
To configure the port forwarding goto firewall>NAT>Port forwarding.
Since this is a lab environment, It is now showing empty, If you have configured port forwarding before, it will show up here.
Click on the Up arrow with add to add a rule to the top of the list.
Leave Interface, Protocol to the TCP, as the HTTP and HTTPS are TCP traffic.
- And Click on Display Advanced.
- On the source, the interface selects any from the drop-down – since it is a web traffic I want to allow from everywhere on the internet.
- Source port is always random hence leave the default any.
- The destination should be the WAN address.
- Destination port range chooses HTTP.
- Redirect target IP – 10.1.1.80 (This is our internal HTTP webserver)
- Redirect target port – HTTP.
In case if your web server is listening on a different port number, you may choose other and define the port number that your server is listening.
- You can also describe the rule and save it.
You may now click on Apply changes.
Verify the HTTP access after port-forwarding.
From the internet host which is a Windows machine, let’s go ahead and test the HTTP access. As you can see we are able to access the HTTP server just fine with the pfSense public IP.
And if you look into the IP address on the body of the site you know that it is our private IP address that we have assigned for the HTTP web server.
Validate http port forwarding on the PfSense..
To validate whether traffic is allowed or not using port-forwarding let’s check the logs on the firewall. However, logs are not enabled by default.
When you added this port forward rule, there was another rule that was automatically added by the pfSense firewall on the WAN side. which basically permits the traffic from the internet to a specific port (80) on the WAN side.
By default, this rule doesn’t log the session, so you can click on edit on this rule by clicking on the pencil icon.
Under the extra option check the box that says log the packet that are handled by this rule.
Click on save and apply the configuration.
You can perform the test again from the external remote machine 1. After you are able to access the HTTP web page, you can then go to status>system logs> Firewall.
You should be able to see the log that says, traffic from 188.8.131.52 to 10.1.1.80 on port 80 is permitted.
Though from the remote side we are communicating with the WAN address, As a result of port forwarding the firewall is doing the NAT towards the private IP address as we configured.
Port forwarding traffic on the LAN side using packet capture.
Let’s go ahead and do a packet capture on the webserver interface using Wireshark.
As you can see on the packet capture below the source IP remains the same as 184.108.40.206 and talking to the webserver 10.1.1.80 on port 80.
We successfully configured the port forwarding on pfSense for the HTTP traffic that was initiated from the WAN side to the LAN and it is working as expected.
How to configure Pfsense port forwarding for HTTPS traffic?
Let’s go ahead and configure the HTTPS traffic using the same method.
Click on the down arrow with Add to add the rule below the previous rule.
Leaving the Protocol as TCP, like before.
- Click Display advanced on the source.
- As it is web traffic, we wanted to allow any.
- Leave the source port as default to any. Because source port is always random.
- The destination port ranges to HTTPS.
- Redirect target IP to web server IP which is 10.1.1.43
- Redirect target port to HTTPS. In case your web server is listening on another port, you may choose ‘Other’ and the port number.
- Give the description and save the NAT rule.
Access the HTTPS web server from remote.
Test the connection now to the IP address 220.127.116.11 on port 443, for that simply access the webpage with HTTPS.
If you don’t have proper certificate, you will get a security warning, click on yes to continue.
As you can see I am also able to access, the secure HTTPS web server as well, and you can see the private IP address of the web server which is 10.1.1.143 that we have configured earlier.
Validate the HTTPS traffic on the firewall.
To see the logs, you can click on firewall>rules, just like before you should be able to see a new rule that is added automatically on the WAN side rules as well.
I have edited the rule to log the traffic.
Initiate the traffic again and head over to the status>system logs>firewall.
You should be able to see the logs that indicate the traffic from the internet user1 (18.104.22.168) trying to access 10.1.1.43 on port 443 which is allowed.
How to allow external users to RDP server using pfsense port forwarding?
We already tested the RDP access on the LAN side of the firewall successfully, the RDP client was able to connect to the RDP server.
Now let’s go ahead and extend the same access to a specific IP on the WAN side as we did with the previous protocols.
There is a small difference here, while the HTTP and HTTPS access was provided to anyone on the internet (Source: any), The RDP ports should never expose to the entire internet. Rather allow access to only known or trusted IPs.
Just like before we would configure the port forwarding and allow the RDP port to specific Public IP to be able to communicate from the WAN side IP to the LAN side.
Click on firewall>NAT>Port forwarding.
Click on the Add rule with the down arrow to add a rule just below the previous two rules.
- Choose the source IP as 22.214.171.124
- Destination port range to MS RDP.
- Redirect Target IP to 10.1.1.89
- Redirect Target port to MS RDP.
- Give a description and save the configuration and apply the change.
Validate the RDP traffic on the firewall.
Allow rules logging.
Goto firewall>rules. Edit the RDP rule to log the session and apply the configuration.
Test the RDP connectivity.
Using the telnet I verified the RDP port status and I can see it is open and connected.
I also tried accessing the RDP access from the Windows machine using RDP client and that also worked just fine, and you can see the RDP IP is 126.96.36.199.
Since you allowed the logs, you can see the logs under status>system logs>firewall.
Apart from the HTTP and HTTPS, you can now see the logs for RDP access as well.
Pfsense RDP port forward with a different destination port (port redirect).
The port forwarding is working good and everyone is happy, but to tighten the security you decided to change the RDP machine port number to 3030 and that would redirect to the destination port number to 3389 on the internal side.
For eg: The internet user is starting the session towards the WAN side 188.8.131.52 with the port number 3030 and the firewall should redirect the request to the internal RDP server with default port number 3389.
Internet user 184.108.40.206–> 220.127.116.11:3030 –>10.1.1.89:3389.
Let’s see how we can do that, go ahead and edit the RDP port forwarding policy.
- On the Destination port choose 3030.
- And Redirect target port choose the default RDP port which MS RDP.
Test the RDP redirect port connectivity.
Lets go ahead and test the connectivity now.
When I try to test the connectivity from the internet user2 the default RDP port is denied, however when I tried with the port number 3030 it is working fine. Let’s also check the RDP application.
How about from the RDP client?
When I tried accessing the previous RDP configuration, I can no longer access the RDP machine and it says can’t connect.
So to connect with a different port number, while connecting instead of giving the just IP address, you can give the port number as well at the end of the IP address (18.104.22.168:3030)
And the RDP access worked successfully after changing the port.
Port forwarding is very useful if you want to let single or multiple external users allow access to specific internal resources or services. However, you need to make sure that you remove the configuration when it is not needed. My recommendation when it comes to WAN to LAN port forwarding is that first, you check with the customer if they have an option to build the IPsec tunnel from the remote network to the Pfsense firewall. If port forwarding is the only option, ask them how long they require the access and you keep a reminder on your system, and after the requirement is done remove those external IP addresses.