Port Forwarding and NAT Reflection in pfSense - REUPLOAD

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

so a few months ago we changed our internet service provider we had full fiber but full fiber to some companies it's different to what I think it is so I switched to a company that does fttp fiber to the property as opposed to fiber to a cab halfway down the street that's shared to the whole street I have my own fiber line and the upside of that is I've now got synchronous connection rather than 1 gig download and and 50 meg up so I've now got a gig down and a gig up fantastic this opens up a world of possibilities for running servers and uh that's what we'll look at today we're going to look at uh port forwarding on [Music] pfSense so I have my trusty bbsd uh machine running just uh running FreeBSD 13.2 release and it's got a couple of packages installed nothing out of the ordinary so this one is running engins engine xinx in my head is how I see it I know it's engine X and it's running just one virtual server the standard one which is where is it there you go it's listening on Port at Local Host think find it's probably tied to every IP address on this server any who so if we move over to Chrome 87.1 there you go welcome to engine X thank you for using engine X you're welcome you're welcome so that's up and running the problem is I can't see that from the outside world it's only on my local network via IP address so how can I let the outside world see that well let's take a look at that now shall we so if we go on to pfSense we've logged in now you'll see that I'm actually running a beta version this is still applicable on on a a standard version and in PS sence port forwarding is not named port forwarding under the natat section so we go to that and there's no rules here so we're going to add two just because I want to be a bit thorough so we're going to add one for SSH so we can SSH from the outside world I'm not going to discuss the Imp implications of security I know that's not a great idea especially since this and I'm going to take these off anyway as soon as I finish but this SSH allows root to log in like I said I'll be taking it out after so so don't put in the comments you shouldn't be running doesn't matter it's going soon right so you click on add a new rule and here it shows a few bits so under the protocol I'm going to go TCP it click the right one and it's going to come from the one address and the destination Port range that's what we're going to look at so we're going to go Port 80 so this is where you can remap it from Port 80 to 81 if you want to do that you don't have to and then the redirect Target IP address one 48 8711 and just to be thorough we're going to put that in there as well and a description here we go I'm going to come back to that reflection in a minute and there's a reason for it so what this is essentially doing is setting up a rule to allow traffic in when you type in www whatever and you've got that ipid you've got that host pointed to this IP address the firewall says Ah I know where that's supposed to go it's supposed to go over here and it forwards the traffic however from inside the landan it just sort of hits the firewall and goes I don't know what to do now so we'll look at that reflection in a minute we want to see we want it to reflect back in to the right place so we'll look at that in a little while so there we go we're on a interface on the W IP address is ipv4 protocol is TCP it's on the W address and destination Port range is 80280 to the IP address of 8711 and we just keeping that the same put in a description click save that's the rule created but it's not applied yet and and PF sense is really good at this it cuz if you make a m mistake in your rules and you want to just have a quick look at it and go yeah that's not quite right it allows you to change it before you apply it I know that's right so we're going to reply that's done how do I know that's done I can't test it from inside my network at the moment because if I do that what I'll get is a funny message from pfSense potential DNS rebind attack detected however if I do it from outside of my network on my phone let me just turn Wi-Fi off it will work fine there we go welcome to engine X so that's work looking lovely so let's talk about n reflection then because I'm still working this out myself so PS sense n reflection let's have a look at what it says so available choices there are three available choices for n reflection for pull forwards they are disabled n reflection will not be performed but it may be enabled on a per rule basis that plus proxy and enables n reflection using a helper program to send packets to the Target of the port forward or pure n enables n reflection using only natat rules in pf to direct to in pf to direct packets to the Target of the port forward it has better scalability but it must be possible to accurately determine the interface and the Gateway IP address used for communication with the target at the time the rules are loaded there are no inherent limits to the number of ports other than the limits of the protocols okay if servers are on the same subnets as clients the enable automatic outbound knet for reflection option will mask the source of the traffic so it flows properly back automatic outbound reflection so let's have a look at that then so we'll go to Advanced firewall andn Network address translation which is probably where we were Advanced firewall and n and what's it called enable automatic outbound nap for reflection let's see where it is is we tick that automatic creation of additional n redirect rules from within the internal networks we'll have that as well and we've got this set to Pure n which I think is the one we want so let's apply that let's go back to our natat Rule now the system default as you saw was pure n anyway but I'm going to change it to Pure here apply that that should now be working let's see see what happens I get a funny feeling it's probably just going to say the same thing yeah but it might be cashed so let's close it and let's test that again yeah still doing it so the question is why love playing around with this but let's have a look at that I mean there is another way that we could do this and we could do this with DNS but we're not going to I'm going to stick to that and see where we go so PF sense n reflection and we want to put in potential DNS rebind okay so how do we turn that off to exclude a domain from DNS rebinding protection use the custom options box in the DNS resolver settings ah so where's that custom option custom options box in the DNS resolver settings so where is it then custom options box I didn't see a custom oh there it is right okay so what do we want to put in there b right now I'm going to blank out this domain because I don't think you really need to know that let's save that let's see if that works cuz I don't know if this is going to work so what I had done I had messed up a bit there's a web goey redirect Ru here so this may have worked without me even worrying about that reflection because it was already set as a default so essentially what I had enabled was the web configurator redirect rule which allows traffic to the firewall on Port 80 and it redirects it to the port that you've actually got the web configurator running on disable that rule it works fine so just to to prove that let's um yeah see think smarter not harder it is early well earlyish so there we go so that's port forwarding in a nutshell help I'm in a nutshell and it works lovely got to say so I'm going to just very quickly run through setting up another one and this will be for Port 22 which is SSH as we know that was what I said before so that will be again again TCP Port 20 Port 20 8711 Port 20 allow SS for and apply so what we'll do is we will quickly log into my remote host here we go there's my remote host let's change these settings so you can actually see what I'm doing and what we're going to do is we're just going to SSH back in so well now that's interesting cuz this did work the other day when I tested it out it's just not working now why is that then do you get something wrong well it helps if you use the right blinking port number don't it Gary try that again should we okay so we're logged into [Music] my oh no we're logged into my remote host and we're going to SSH back into my little PC down there there we go so if you notice that is the same as my other party session which is local rout at test rout at test so that's really there all there is to it you set up the uh the redirection rule you in that you choose the the version of uh that reflection that you want once you've done that make sure that your configurator has not got a redirect rule for any port and you're good to go this is brilliant this is exactly what I wanted and now I can actually bring my remote server back here which is what I wanted to do a few months ago and I will be doing soon hope you find this useful and uh if you do please do give it a thumbs up leave a comment quite like reading them I'm I'm so sorry that I am not on top of replying at the moment things are just a bit chaotic at the moment I will start replying as soon as I can I know I've got a backlog a massive backlog but I will start replying to him again soon click subscribe to uh get notifications of when I next release a video it's usually one a week sometimes more if I make a bit of a up and as always I'll see you in the next video see you later

Info

Channel: GaryH Tech

Views: 1,664

Rating: undefined out of 5

Keywords: #FreeBSD, 5 reasons to use freebsd, FOSS, FreeBSD, FreeBSD Handbook, FreeBSD Networking, FreeBSD PKG, FreeBSD ports tree, Freebsd 13.1 changes, Freebsd 13.1 review, Freebsd 13.1 what's new, Freebsd kde, Freebsd review, GaryH Tech, NFS Server, NIX, OSS, Rdp, Unix, current, debugging, freebsd, freebsd 11, freebsd desktop, freebsd install, freebsd que es, freebsd review, freebsd vs linux, how to freebsd, install freebsd, linux, linux vs freebsd, storage, truenas, tutorial freebsd, pfsense

Id: L7vyhymKi1A

Channel Id: undefined

Length: 12min 44sec (764 seconds)

Published: Thu Oct 05 2023