26.1.6_2 Destination NAT - how to use port range?

Started by OPNsense4ever, April 26, 2026, 11:47:58 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 26, 2026, 11:47:58 PM
Hello,

I am trying to redirect ports TCP/UDP ports 1630-1641 to a host on my LAN. I can use the "Single port or range" drop-down for the Destination Port, but there is nothing similar for Redirect Target Port. I looked at the docs here, but I don't see anything.

What should be used for Redirect Target Port? The first port in the range? 1630? any?

Thank you!
April 27, 2026, 01:13:16 AM #1
I'm pretty sure destination NAT is one to one. You would need 2 rules, one for port 1630 and one for port 1631 if you need both redirected.

Edit: Oops, just realized you have 12 ports to 1641. So it would be 12 rules. I could be wrong, but that's what I did for the redirects i need.
April 27, 2026, 02:29:46 AM #2 Last Edit: April 27, 2026, 02:37:59 AM by lmoore
Quote from: OPNsense4ever on April 26, 2026, 11:47:58 PMWhat should be used for Redirect Target Port? The first port in the range? 1630? any?

In your case you would enter 1630, which is the base port number for the range.

Connections arriving within you port range of 1630-1641 will be redirected to ports 1630-1641 at the redirected address.

If you set your Redirect Target Port to 20630, the connections arriving within the port range of 1630-1641, will be redirected to 20630-20641.

If you wanted to use multiple but not sequential ports, you would set up a Port Alias with the port numbers and use the Port Alias in the Destination Port and Redirect Target Port fields.

[Edit] Using "any" simply redirects to the port numbers within the range.
April 27, 2026, 03:01:00 PM #3
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
April 27, 2026, 04:55:25 PM #4
Quote from: lmoore on April 27, 2026, 02:29:46 AM
Quote from: OPNsense4ever on April 26, 2026, 11:47:58 PMWhat should be used for Redirect Target Port? The first port in the range? 1630? any?

In your case you would enter 1630, which is the base port number for the range.

Connections arriving within you port range of 1630-1641 will be redirected to ports 1630-1641 at the redirected address.

If you set your Redirect Target Port to 20630, the connections arriving within the port range of 1630-1641, will be redirected to 20630-20641.

If you wanted to use multiple but not sequential ports, you would set up a Port Alias with the port numbers and use the Port Alias in the Destination Port and Redirect Target Port fields.

[Edit] Using "any" simply redirects to the port numbers within the range.

Fantastic! This should be documented somewhere though. Is it written somewhere that I missed?

😁 Let me see if I can get my proverbial stuff together for a PR if not.
Today at 01:52:41 PM #5
Quote from: OPNsense4ever on April 27, 2026, 04:55:25 PMFantastic! This should be documented somewhere though. Is it written somewhere that I missed?

I referred to the online OPNsense manual like you did. Alas, the specifics aren't there.

The information is in the The Fine Manual - look at the section for rdr in pf.conf. However, the behaviour I'm seeing in OPNsense is a little different to what is described in this manual page.

This behaviour was in the firewall product which PF replaced. If you would like some historical information, you could have a look in ipnat.conf from the paragraph beginning with;

QuoteFor  TCP    and  UDP  packets,  it    is possible to   both match on the des-
tiantion port number and to modify it.  For example, to change the des-
tination port from 80 to 3128, we would use a rule like this:

I've tested a rule using a Port Alias, which has two non-sequential ports entered, and set the Redirect Target Port to any. Connections to the destination ports of 53 & 853, are redirected to the same ports on the target host.

Attached are images of a test rule I used with a Port Alias:

I'm sure more examples in the OPNsense documentation would be welcomed.
Today at 03:47:41 PM #6
Part of the confusion appears to come from the fact that the old page selected port "80" as default redirect port. People likely never saw "any" as a viable option and a bit of internal core plumbing appeared to be incomplete for decades.


Cheers,
Franco
Today at 06:58:05 PM #7
Back in those days, transparently redirecting HTTP, FTP, IPSec, Real Audio, etc to proxies running on localhost was the go. This is probably why the majority of examples will redirect to a port for the Proxy Service running on the firewall.

Other scenarios was to redirect connections arriving from the Internet to internal servers.

Then came the challenge to get reflection of internal connections working with IPF.

There have been many improvements with PF firewalls over the years. However, there is always the need for improvements.

@Franco Is there somewhere in the OPNsense documentation pages where one can easily locate the additional set up guide's and how-to's?

Cheers,

Larry.
Print
Go Up Pages1
User actions