Port forwarding is one of the features that is useful if you wanted to allow the external users to specific ports on the LAN side or inside the network. And many people get confused when it comes to the port forwarding configuration on the firewall.
In this blog, we are going to configure the port forwarding feature using the pfSense firewall step by step. As you know the pfSense firewall is an open-source firewall that you can spin up in an organization with a tighter budget. I have covered some blogs related to pfSense previously you may check them out if you are not familiar with the pfSense firewall and how to get started.
Does PfSense port forwarding work from wan to LAN?
The port forwarding is mainly used on the WAN side of the firewall. As the WAN side is the outside interface of the firewall which also an untrusted zone. So, the best way if you wanted to let anyone in is by using the port forwarding method. And like any commercial firewall, the PfSense port forwarding from WAN to LAN works great.
One of the use case being, you have an external user who wanted to access an RDP server which is located internally on your network. Usually, if the server has IP address that is private how do you let the user in?
The only interface that any outside user can hit is on the outside interface, which is again blocked by the pfSense firewall. So you can create a nat policy with which you can specify as below on the pfSense firewall.
- Anyone coming with a specific internet source IP (You specify the IP, for eg :184.108.40.206).
- Trying to reach outside interface on the firewall using port 3389.
- Send to the internal RDP server on a private range on port 3389.
Note: You should never put ‘any’ on the source IP, if you do that you are exposing the firewall to the internet and anyone on the internet with port 3389 should be able to get in.
You can even tighten the security by choosing a different source port number rather than the default one, we will cover that as well in the lab.
If you don’t understand the concept, don’t worry we are going to cover that in more detail with a lab.
How To Configure IPsec VPN Between pfSense And Cisco Router?
How To Configure OpenVPN On PfSense?
How To Fix USB Ethernet Not Recognized By pfSense?
How To Install Pfsense On KVM?
How To Configure IPsec Site To Site Tunnel In PfSense?
Pfsense port forwarding topology.
Below is the topology that we are going to use.
We have pfSense firewall configured and on the LAN side of the firewall we have two web servers one with HTTP and another with HTTPS, and also an RDP server. To access the pfSense GUI, and to also test the port connectivity on the LAN side, I have added a Ubuntu machine on the LAN side.
The Pfsense firewall is also configured and connected on the WAN side with the internet. And three external users who are on the internet, we need to allow access to the services. We can configure the Pfsense port forwarding to accomplish this.
Steps to configure port forwarding Pfsense.
- Verify the Port connectivity on the LAN side.
- Verify the Port connectivity from the external side.
- How to configure pfSense port forwarding for HTTP traffic?
- How to configure Pfsense port forwarding for HTTPS traffic?
- How to allow external users to RDP server using pfsense port forwarding?
- Test the RDP connectivity.
- How to configure port forwarding with multiple IP addresses?
- Configure Pfsense port forwarding using pfSense Alias.
- Pfsense port forwarding for multiple ports using pfSense Alias.
- Pfsense RDP port forward with a different destination port.
Verify the Port connectivity on the LAN side.
I am using two web servers one with HTTP service and the other with HTTPS. Let’s check the connectivity to the webservers from one of the Ubuntu LAN host (10.1.1.11)
As you can see I can access the http server 10.1.1.80, let also check the https access.
Even the https server 10.1.1.43 also working fine.
You can also test the port connectivity using the telnet command as well.
You can type the command
telnet <IP address> <port number> to see whether a specific port is open or not.
As you can see from above, I can connect both the HTTP and HTTPS server on the LAN side just fine, how about the RDP server? So let’s find out.
You can use the same method and check the port status, and you can also use the RDP client on the Ubuntu machine to access the windows RDP server.
The telnet shows the port is open, which is good.
As you can see the RDP access also working fine.
Verify the Port connectivity from the external side.
Let’s do the same test from the external users, by default it will not work as the pfSense will block any traffic that is initiated from the outside. Moreover, you need to remember that from the internet you will not be able to access the private IP address on the pfSense LAN side, so remember I said we would configure the port forwarding on the WAN side?
So instead of testing with the private IP address on the remote internet user, we are going to test using the wan side IP of the pfSense which is 220.127.116.11.
As you can see, none of the ports are open on the firewall WAN side, and keeps trying until I stopped the session manually.
Let’s see the logs (status>system logs>firewall ) on the firewall, and see if we are getting any logs for the same.
As you can see below, there are multiple attempts from the outside user however it was blocked by the firewall.
Using pfSense port forwarding we are going to allow external users who are on the internet to be able to access there internal network services.
In this lab, we are going to perform the following,
- First, we will allow HTTP traffic from the remote to our internal network.
- Second, we will enable HTTPS traffic.
- And finally, RDP to our internal windows server.
We are going to configure a single remote user to be able to access the network, later I can show you how you can allow multiple outside users to the same ports using something called pfSense alias.
How to configure pfSense port forwarding for HTTP traffic?
To configure the port forwarding goto firewall>NAT>Port forwarding.
Since this is a lab environment, It is now showing empty, If you have configured port forwarding before, it will show up here.
click on the Up arrow with add to add a rule to the top of the list.
Leave Interface, Protocol to the default
And Click on Display Advanced.
- On the source, the interface selects a single host or alias from the drop-down and Enters the source IP address 18.104.22.168.
- Source port is always random hence leave the default any.
- The destination should be the WAN address.
- Destination port range chooses HTTP.
- Redirect target IP – 10.1.1.80 (This is our internal HTTP webserver)
- Redirect target port – HTTP.
- You can also describe the rule and save it.
You can now click on Apply changes.
Verify the HTTP access after port-forwarding.
From the internet user1(22.214.171.124) which is a windows box, let’s go ahead and test the HTTP access. As you can see we are able to access the HTTP server just fine with the pfSense public IP.
And if you look into the IP address on the body of the site you know that it is our private IP address that we have assigned for the HTTP web server.
Validate http port forwarding on the PfSense..
To validate whether traffic is allowed or not using port-forwarding let’s check the logs on the firewall. However, it is not allowed by default.
When you added this NAT rule, there was another rule that was automatically added by the pfSense firewall on the WAN side.
By default, this rule doesn’t log the session, so you can click on edit on this rule by clicking on the pencil icon.
Under the extra option check the box that says log the packet that are handled by this rule.
Click on save and apply the configuration.
You can perform the test again from the external remote machine 1. After you are able to access the HTTP web page, you can then go to status>system logs> Firewall.
You should be able to see the log that says, traffic from 126.96.36.199 to 10.1.1.80 on port 80 is permitted.
Though from the remote side we are communicating with the WAN address, As a result of port forwarding the firewall is doing the NAT towards the private IP address as we configured.
Port forwarding traffic on the LAN side using packet capture.
Let’s go ahead and do a packet capture on the webserver interface using Wireshark.
As you can see on the packet capture below the source IP remains the same as 188.8.131.52 and talking to the webserver 10.1.1.80 on port 80.
We successfully configured the port forwarding on pfSense for the HTTP traffic that was initiated from the WAN side to the LAN and it is working as expected.
How to configure Pfsense port forwarding for HTTPS traffic?
Let’s go ahead and configure the HTTPS traffic using the same method.
Click on the down arrow with Add to add the rule below the previous rule.
- Click on show advanced, and add the source address type as Single host or alias.
- Leave the source port as default to any.
- The destination port ranges to HTTPS.
- Redirect target IP to web server IP which is 10.1.1.43
- Redirect target port to HTTPS.
- Give the description and save the NAT rule.
Access the HTTPS web server from remote.
Test the connection now to the IP address 184.108.40.206 on port 443, simply access the webpage with https.
If you don’t have proper certificate, you will get a security warning, click on yes to continue.
As you can see I also able to access, the secure https web server as well, and you can see the private IP address of the web server which is 10.1.1.143 that we have configured earlier.
Validate the HTTPS traffic on the firewall.
To see the logs, you can click on firewall>rules, just like before you should be able to see a new rule that is added automatically on the WAN side rules as well.
I have edited the rule to log the traffic.
Initiate the traffic again and head over to the status>system logs>firewall.
You should be able to see the logs that indicate the traffic from the internet user1 (220.127.116.11) trying to access 10.1.1.43 on port 443 which is allowed.
How to allow external users to RDP server using pfsense port forwarding?
We already tested the RDP access on the LAN side of the firewall successfully, the RDP client was able to connect to the RDP server.
Now let’s go ahead and extend the same access to a specific IP on the WAN side as we did with the previous protocols.
There is nothing different here, just like before we would configure the port-forwarding and allow the RDP port to be able to communicate from the WAN side IP to the LAN side.
Click on firewall>NAT>Port forwarding.
Click on the Add rule with the down arrow to add a rule just below the previous two rules.
- Choose the source IP as 18.104.22.168
- Destination port range to MS RDP.
- Redirect Target IP to 10.1.1.89
- Redirect Target port to MS RDP.
- Give a description and save the configuration and apply the change.
Validate the RDP traffic on the firewall.
Allow rules logging.
Goto firewall>rules. Edit the RDP rule to log the session and apply the configuration.
Test the RDP connectivity.
Using the telnet I verified the RDP port status and I can see it is open and connected.
I also tried accessing the RDP access from the Windows machine using RDP client and that also worked just fine, and you can see the RDP IP is 22.214.171.124.
Since you allowed the logs, you can see the logs under status>system logs>firewall.
Apart from the HTTP and HTTPS, you can now see the logs for RDP access as well.
How to configure port forwarding with multiple IP addresses?
Remember we had 2 other remote machines connected to the internet, you have been asked to allow those remote hosts as well to the 3 NAT rules you created, now how do you achieve that?
First let’s try to test and see if those remote hosts can reach the inside IPs using HTTP, HTTPS and RDP.
The internet user 2 with the IP address, the access to all the services is blocked.
Similarly the internet-user3 with the IP address 126.96.36.199 also unable to reach those services.
For those attempts, you can see multiple deny logs which means the firewall is not letting them in.
Configure Pfsense port forwarding using pfSense Alias.
To configure port forwarding to multiple IP’s You can configure specific rules again for those two IPs as we did before, but that would add more complexity as in when you add more and more remote IP addresses. And it would be difficult to manage the rules.
The best way to manage this situation is by using something called an Alias on the pfsene firewall.
You can create an Alias for those remote IPs for eg : Remote IPs (188.8.131.52,184.108.40.206,220.127.116.11 ) and call this alias on the source IP to the existing rules.
Click on the Add button to add the alias on the pfSense firewall.
- Name the Alias and the Description.
- Give the Description and on the Type choose Hosts.
- Add the remote WAN subnets under hosts with its name/description and click on SAVE and apply the configuration.
Go back to the NAT rules and edit those three port-forwarding rules and on the source IP address adds the alias that we just created and click on SAVE and apply the configuration.
That’s it you just allowed access to all the three remote subnets now, you can go ahead and perform the test and see if it is working or not.
Test from the internet user1, everything is working fine.
The same goes with internet-user2.
Even the internet user-3 as well.
You can also see the logs for all the three remote sites that are allowed to access the internal resources.
Pfsense port forwarding for multiple ports using pfSense Alias.
The same alias method can be used for multiple port forwarding using pfsense firewall as well. For eg, you have HTTP, HTTPS and RDP allowed on the same server, similar to how you created the alias for multiple IP’s you could create an alias with multiple ports. For eg: Remote ports (http,https and RDP) and on the destination port side, you call the alias instead of individual ports.
Pfsense RDP port forward with a different destination port.
The port forwarding is working good and everyone is happy, but to tighten the security you decided to change the RDP source machine destination port number to 3030 and that would redirect to the destination port number to 3389 on the internal side.
For eg: The internet user is starting the session towards the WAN side 18.104.22.168 with the port number 3030 and the firewall should redirect the request to the internal RDP server with default port number 3389.
Internet user 22.214.171.124–> 126.96.36.199:3030 –>10.1.1.89:3389.
Let’s see how we can do that, go ahead and edit the RDP port forwarding policy.
- On the Destination port choose 3030.
- And Redirect target port choose the default RDP port which MS RDP.
Test the RDP redirect port connectivity.
Lets go ahead and test the connectivity now.
When I try to test the connectivity from the internet user2 the default RDP port is denied, however when I tried with the port number 3030 it is working fine. Let’s also check the RDP application.
How about from the RDP client?
When I tried accessing the previous RDP configuration, I can no longer access the RDP machine and it says can’t connect.
So to connect with a different port number, while connecting instead of giving the just IP address, you can give the port number as well at the end of the IP address (188.8.131.52:3030)
And the RDP access worked successfully after changing the port.
The port forwarding is very useful if you want to let single or multiple external users allow access to specific internal resources or services. However, you need to make sure that you remove the configuration when it is not needed. My recommendation when it comes to WAN to LAN port forwarding is that first, you check with the customer if they have an option to built the IPsec tunnel from the remote network to the Pfsense firewall. If port forwarding is the only option, ask them how long they require the access and you keep a reminder on your system, and after the requirement is done remove those external IP addresses.