Re: [pfSense Support] port forwarding

[Josh Stompro]

Volker, I read this and started to panic a little bit.  What, I cannot restrict which hosts can use a port forward?  I started thinking, oh no, I have to look for a different firewall distribution. Then I tried it out.  I added a port forward Wan TCP 5900 192.168.1.199 (ext: 192.168.40.129)  5900  VNC And I changed the wan rule from TCP, Any source ip , Any source Port, Dest 192.168.1.199, Dest port 5900, NAT VNC To TCP,  source 192.168.40.5,  Any source Port, Dest 192.168.1.199, Dest port 5900, NAT VNC And now only 192.168.40.5 can use that port forward.  Am I misunderstanding what you were saying?  I understand how it isn't possible to restrict based on the original destination port (if it is different,  else it doesn't matter) but I don't understand what you are saying about the source ip. Thanks Josh Volker Kuhlmann wrote: I seem to be having difficulty adding a port forward :( from WAN ->lan(192.168.1.3) port 80 The macmini can get to the outside world is there any other debugging I can look at? I had some trouble to, coming from Linux. The thing to keep in mind is that the port forwarding happens before(!) the firewall rules are applied. So, apart from wanting a port forward/NAT rule WAN port X -> lan(192.168.1.3) port 80 You also need to insert a firewall rule WAN any -> LAN port 80 In this context it is impossible to restrict access to the port forwarding depending on e.g. source IP, because the port forwarding applies unconditionally to everything, and with the firewall rules you have to match against LAN port 80, and can no longer use the WAN port the packet was originally addressed to. Lousy IMHO, but that's how it is. HTH, Volker -- -- Lake Agassiz Regional Library - Moorhead MN larl.org Josh Stompro | Office 218.233.3757 EXT-139 LARL Network Administrator | Mobile 701.371.3857