Tutorial: pfsense Port Forwarding

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
tom here from lawrence systems and we're going to cover port forwarding on pfsense plus 2205 or pfsense community edition 2.6 as the latest versions that are available here in august of 2022. now this is just some basic portfolio we're going to cover but i also talked a little about the security that you should be considering when you're doing this so we will show also how to do some port forwarding restricting how to handle it with multiple wan addresses how to set up aliases to make port forwarding easier for either aliases on inbound or aliases on the ports or why not both those are all things that are great options you can do in there i'll even show a couple advanced use cases for report forwarding but i always want people to think about and consider that before you open something up to the world and by the way a prerequisite for this to work on the public internet is for your wan to have a public one or more public available ip addresses so before you open some up to the world really think about whether or not that's a good idea first because this is often well how many attacks occur is people look for open ports or bots i would say automatically look for them so the moment you open a port yes lots of things start poking away at it be prepared for that to happen hopefully you are secure and can mitigate any problems that may arise from it just want those warning being video now before we dive into the details video let's first are you an individual or company looking for support on a network engineering storage or virtualization project is your company or internal it team looking for someone to proactively monitor your system security or offer strategic guidance to keep your its systems operating smoothly not only would we love to help consult on your project we also offer fully managed or co-managed i.t service plans for businesses in need of it administration or it teams in need of additional support with our expert install team we can also assist you with all of your structured cabling and wi-fi planning projects if any of this piques your interest fill out our hire us form at laurentsystems.com so we can start crafting a solution that works for you if you're not interested in hiring us but you're looking for other ways you want to support this channel there's affiliate links down below to get you deals and discounts on products and services we talk about on this channel and now back to our content all right now the first place i want to start is to cover the iap addresses we're going to use this is a simulated lab that i have set up so none of these are actually wan public ip addresses but they're the ones we're going to use for this demo and we have my computer at 172 16 16 9 coming across the pseudo internet over to pfsense lab now i've got two ip addresses assigned this lab because this is a frequent port forward question that comes up when you have a single wan interface and you want to choose which one to part forward to this can be tricky especially when your alias and ip addresses people are like but how do i get the other one i only see one address option and i'll make sure we cover that in a video so we're going to have this assigned on the wan side 2.17 and 2.50 so this is a 192 1683 network with these two ip addresses and the target is being able to ssh and maybe test a few other ports and get into this ubuntu lab server that is 10.0.0.100. so these are all the ip addresses we're going to use for this particular demo now npfsense go to firewall then nat and that's where you're going to be able to get to the nat port forwarding options there are options here we're not going to cover today it's in the documentation if you wanted to do a one-to-one mapper you just take everything from a particular ip address and map it to another device i find that well less secure generally i really want you to think about principles of least privilege and you only open up what's necessary to who is necessary to be opened up for end of story that to me reduces the amount of noise you're going to see reduces the amount of potential problems you're going to have so we're going to go here and we're going to go ahead and click add and we're going to do a put forward by saying interface when and even we have a few interfaces we're going to start with wan on this one address family ipv4 tcp and there are other options you can do you've got udp you have tcp udp as a combo icmp gre et cetera et cetera ssh is a tcp based protocol so we're going to use that now there's two options over here we can say destination and wan address really here but we can choose ssh if we wanted make it really simple and say just go ssh or you could just type in the port number once you choose one of the pull-down options it removes the port number also we'll go ahead and leave it as other 22 22. now the way ranges work in there and it's sometimes be a little bit confusing because i can say 22 to let's say 28. now we're going to actually forward four ports we're not going to actually do this but then they see and over here there's only one on the redirect target port now the reason there's only one is because that's the starting range on a target port so if we have these six more ports that we're going over here well it'll start here and forward them over so you actually don't get a range on the redirected port on the device you're targeting but now we'll go ahead and 10.0.0.100 and we'll just leave this at 22 because we're just getting ssh working we'll say allow ssh down here nat reflection use system default there are a couple different options for nat reflection and you can go into defaults and change these you can enable that proxy pure net or disable what net reflection means is how does this behave when you're inside the network this is very popular with camera systems where you want to open up a port for a camera system but then you go hey it's not working when i'm inside the network because i'm still hitting this you know public wan ip address i programmed into the app but now when it's inside the network it doesn't redirect what this does is it redirects you so it says no reflect it inward so even though something's inside the network let it go ahead and route through the rules and come back i have mine set up system default because i have it set up for the pure nat on there and if you'd like to set that you go under system advanced firewall nat and choose net reflection to pure nat that is where you set the system default it's in the documentation for pfsense as well now the last option here is add associated filter rule this is where some firewalls in modern times can annoy me where they don't create a separate rule because yes there is a separate rule needed psenses added this for your convenience the net operation is separate from your firewall rules that is a fact and someone will go of course it works that way if you're used to using firewalls where you create a nat rule and then you also have to create a rule to allow the traffic to come into the firewall pfsense as a convenience does this in one click so we hit save we click apply and the associated filter rule we'll go ahead and edit here we'll go down and here is view the filter rule which also going over to firewall rules edit so it comes over here and you're seeing we're allowing a firewall not allow ssh it's creating that separate rule if we go just over to rules and we look at the wan rules ignore all the extras on here they're for different things we're testing but you'll see this bottom one that we just added not to allow ssh so it's adding that filter rule automatically because you have to allow it on lan and then when that packet comes in and hits that port it hits the nat rules and redirects to the destination we set up a nap so back here where we have our port forward rule created i also have a tab open over here because i'm doing a pf top diagnostic where i say host here's our host address i want to see anything that's connecting to this address currently there are no connections so let's go ahead and create some and make sure our port forward works now referencing back to our diagram lts at 192 1683.217 the wan ip address of our demo firewall and it works if we look over here we see that hey i just logged into a box that has an ip address of 100 100 perfect worked exactly as expected and we can see these connections established now one of the things i want to point out when we establish these connections so here is my ip address and the thing to note is that the destination port was 22 and you may have noticed that the source port is something different so we have four five six seven four source ports are generated randomly from the outgoing firewalls through the internet and they land on a specific port so they may come in indiscriminately that's why when you're looking at these nat rules and i've seen people sometimes break things like this you want to limit your source address but listen limiting a source port requires well a little bit of extra because you have to make sure it's only coming from that port so generally your source port you're always going to leave you know wild-carded as an asterix here source address is the next thing i want to talk about because one of the important things to think when you're doing this is like well anyone can now hit this port it's wide open this is where you may want to limit your source addresses the way you do that we're going to go over here to edit and you look at display advanced and what is the network we want this to come in on and you can say any or single host or alias single host is one single host that you want to filter this for so if we say we can only come in from 3.12 or any other ip address that would limit the scope to only that ip address and coming in more ideally we would want to do it this way so we go here to firewall aliases and we want to add an ip aliases hit add allowed in ssh ip address we'll paste it in there what's the address we want to allow well we had to allow my computer in 172 16 16 9 tom's computer so we're going to add another one and we'll say what if we wanted to have it from one another computer now we've added well as many as we want as we keep clicking add to be able to add these in here and then we click save click apply firewall nat we're going to edit that rule and we're going to display advanced single host for alias just start typing it'll auto complete go down here to save apply changes and if we mouse over now the source address instead of displaying one value displays all the values in here so if we go over here in ssh in and we exit it works great so we can go back and forth and say now it's working now let's go ahead and update that alias to show you another condition you may run into we're going to edit this we're going to delete tom save apply no problem we've got this address rule let's go ahead and refresh this page we only allow this particular one in so we go back over to pf top and we see a couple connections here from tom so let's talk about those connections because they shouldn't exist right now because they updated a rule that says tom can't get in so what happens so right now i'm in i can type top and commands seem to be working let's go ahead and exit and see what happens we've just closed that active state we're going to jump back in but we can't what happens is when you change a rule but there's already an open state the default behavior this can be changed or you can kill the state the default behavior is to allow states that exist to keep existing so if you're doing some testing with this and you have an active state open such as an ssh connection even though i change the rules they're not going to just drop off so now i can't come in it's not allowing me but we can go over here firewall aliases edit this we'll add host 1.9 save apply retry again hey look i'm in it works perfectly fine again so that's how those work in terms of aliases now you can use aliases for things like ports so let's go ahead and look at the net rules here we want to add another net rule when ipv4 tcp but what if we had a list of custom ports like this like the unifi controller there's a popular grouping of ports and we'll just put that in there for each one of these single hosts the same host it's not actually unified controller but yeah let's pretend it is for sake of something popular someone may want to do same thing with reports unifi controller allow unify ports rate now we have these ports over here for the unifi controller works the same way now how do we do those this over here in alias we go to ports hey there's all the ports for the unifi controller now the other advantages of course i have one two three four different ports in there what if i needed to change one of these and i had many rules related to port forwarding for a couple different reasons or you know i needed to add or remove a specific port i could just keep adding or removing them right inside of here and it's as easy as that to keep control over you know things that you want to open up so it works whether using ip addresses it works with these different ports um added in here and i actually when you have a lot of things you're forwarding i do prefer to add them all in here that way as you repeat rules it just makes a lot easier and whenever you edit it here it will automatically apply that's why when you edit these it asks you and let's just go ahead and open one up real quick we added a port whatever that part is test save when you hit apply here it's not just applying the alias it actually is re-running the filter rules in the background and reapplying them that way they've all been reworked because they realize there's a change in alias this alias is used within filter rules so it actually reloads all the filter rules when you do that now let's go back over here to the firewall we're going to go ahead and delete this one as we don't need it but the next question is how do we build a rule when we have another ip address in our wan now this is going to be obvious if you go here and say hey i can just choose wan2 if it exists but this at the top says interface i want to make sure you understand interface is not the same as destination because destination is wan address or when to address sounds pretty simple enough but what about when you have more than one ip address on your wan and the way you do that i've done talked about this before but just a quick briefer here is you go over here to virtual ips we have an extra virtual ip assigned to an it's an ip alias single address so it's assigned to this interface and there's the ip address and it's just another wan ip we're going to go back over here to our firewall nat and we'll duplicate this rule for simplicity so interface is the same because it's aliased on that interface this is where we want to get to the other ip address and we can add three five doesn't really matter how many we have we just have one on here they would all show up in this list so 192.168.3.250. now we're going to hit save but not apply so it's sitting here ready but not applied and i want to show you what happens here so we're going to go ahead and exit this then we're going to go ahead and say 250 the other ip address in there it doesn't work just want to make sure despite there being a rule that allows it for the wan and just generically worded wan address even though this is an alias to the wan it's not the wan address that's an important distinction so it doesn't automatically work so we'll click apply now we can see these two different rules the wan address and then the secondary destination address on the wan there's the destination there's the net ip internally so now when we go back over here logs us right in works perfectly fine all right i've deleted that rule now let's talk about another scenario our destination address being away on address go ahead and click edit we've deleted that extra one so let's change it to wan net as a destination now if we do wan net as a destination so it's interface when but then when net so everything that's aliased on the way on net go ahead and click apply so we only have the one rule here and if we do this we go to 3.217 it works we go to 3.250 it works if we add more wan addresses more aliases it will continue to work because we're just going on and saying anything that's on that wan address go ahead and just allow it to come through this may not be an ideal situation that you want to do but for those you curious of hey this will allow it for all the ipa addresses i elise and maybe your use case is for that then yes that will absolutely work now one final thing i want to cover that's kind of a novel but just to show there's more than just ports that can be forwarded through nat is icmp maybe you don't have a use case for that but i think it's novel that this is an ability that's in here is we can ping 192 1683.217 except by default pf sense blocks icmp traffic that can be changed but we left things at the default behavior but what if and we could go over here and we want to add a rule and we want the wan ipv4 protocol though let's change the protocol and this is where there's a few different options we can even do we have i said these other ones in here if you needed ospf to be forwarded to another device but let's specifically talk about icmp now there's obviously not as many options you don't get ports it's just icmp traffic but we can do that where we go 10.00.100 and we'll say allow icmp so pretty simple go ahead and hit save apply and the pings have started and we'll go over here back to the pf top and we can see the icmp traffic down here coming from my system and going in there so pretty simple these are other things you can forward when you're using these and that's it that's all i have for port forwarding but please take the time to read through the netgate documentation it is wonderful it has even more than i covered in here so there's always a lot of scenarios and maybe some specialized use cases that the scenarios can be helpful in there check out my forums forums.lawrencesystems.com for more in-depth discussion on this topic and well any other videos i've covered or head over to the netgate forums there's all kinds of information over there on things like you know how performing works or certain scenarios that are outside the norm but what i cover today will cover probably 99 of people's needs when it comes to power forwarding as always thanks and see you next time and thank you for making it all the way to the end of this video if you've enjoyed the content please give us a thumbs up if you would like to see more content from this channel hit the subscribe button and the bell icon if you'd like to hire a short project head over to lawrences.com and click the hires button right at the top to help this channel out in other ways there's a join button here for youtube and a patreon page where your support is greatly appreciated for deals discounts and offers check out our affiliate links in the description of all of our videos including a link to our shirt store where we have a wide variety of shirts that we sell and designs come out well randomly so check back frequently and finally our forums forums.laurensystems.com is where you can have a more in-depth discussion about this video and other tech topics covered on this channel thanks again for watching and look forward to hearing from you you
Info
Channel: Lawrence Systems
Views: 42,379
Rating: undefined out of 5
Keywords: LawrenceSystems, pfsense port forwarding, pfsense firewall, port forward, pfsense (software), port forwarding, pfsense router, open source router, pfsense tutorial, network address translation, network security, pfsense setup, pfsense nat setup multiple wan
Id: 1YDVebJlGbM
Channel Id: undefined
Length: 19min 35sec (1175 seconds)
Published: Tue Aug 09 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.