 Tom here from Warrant Systems and we're going to cover port forwarding on PF Sense Plus 2205 or PF Sense Community Edition 2.6 as the latest versions that are available here in August of 2022. Now, this is just some basic port forwarding we're going to cover, but I also talk a little bit about the security that you should be considering when you're doing this. So we will show also how to do some port forwarding, restricting how to handle it with multiple WAN addresses, how to set up aliases to make port forwarding easier for either aliases on inbound or aliases on the ports, or why not both? Those are all things that are great options you can do in there. I'll even show a couple advanced use cases for port forwarding, but I always want people to think about and consider that before you open something up to the world, and by the way, a prerequisite for this to work on the public internet is for your WAN to have a public one or more public available IP addresses. So before you open something up to the world, really think about whether or not that's a good idea first, because this is often, well, how many attacks occur is people look for open ports or bots, I would say automatically look for them. So the moment you open a port, yes, lots of things start poking away at it, be prepared for that to happen. Hopefully you are secure and can mitigate any problems that may arise from it. Just want to throw out those warning and be in the video. Now, before we dive into the details of video, let's first, are you an individual or company looking for support on a network engineering storage or virtualization project? Is your company or internal IT team looking for someone to proactively monitor your system security or offer strategic guidance to keep your IT systems operating smoothly? Not only would we love to help consulting your project, we also offer fully managed or co-managed IT service plans for businesses in need of IT administration or IT teams in need of additional support. With our expert install team, we can also assist you with all of your structure cabling and Wi-Fi planning projects. If any of this piques your interest, fill out our Hire Us form at laurancesystems.com so we can start crafting a solution that works for you. If you're not interested in Hire Us but you're looking for other ways you want to support this channel, there's affiliate links down below to get your deals and discounts on products and services we talk about on this channel. And now back to our content. All right, now the first place I want to start is to cover the IP addresses we're going to use. This is a simulated lab that I have set up, so none of these are actually WAN public IP addresses, but they're the ones we're going to use for this demo. And we have my computer at 172.16.69, coming across the pseudo internet over to PF Sense Lab. Now I've got two IP addresses assigned to this lab because this is a frequent port forward question that comes up when you have a single WAN interface and you want to choose which one to port forward to. This can be tricky, especially when you're aliasing IP addresses, people are like, but how do I get the other one? I only see one address option and I'll make sure we cover that in a video. So we're going to have this assigned on the WAN side, 2.17 and 2.50. So this is a 192.1683 network with these two IP addresses. And the target is being able to SSH and maybe test a few other ports and get into this Ubuntu lab server that is 10.0.0.100. So these are all the IP addresses we're going to use for this particular demo. Now in PF Sense, go to firewall then NAT. And that's where you're going to be able to get to the NAT port forwarding options. There are options here. We're not going to cover today. It's in the documentation. If you wanted to do a one-to-one map where you just take everything from a particular IP address and map it to another device, I find that, well, less secure generally. I really want you to think about principles of least privilege and you only open up what's necessary to who it's necessary to be opened up for end of story. That to me reduces the amount of noise you're going to see, reduces the amount of potential problems you're going to have. So we're going to go here and we're going to go ahead and click add. And we're going to do it put forward by saying interface WAN. And even we have a few interfaces, we're going to start with WAN on this one, address family IPv4, TCP. And there are other options you can do. You got UDP, you have TCP, UDP as a combo, ICMP, GRE, et cetera, et cetera. SSH is a TCP based protocol. So we're going to use that. Now there's two options over here. We can say destination and WAN address we're going to leave here, but we can choose SSH if we wanted to make it really simple and say, just go SSH. Or you could just type in the port number. Once you choose one of the hold on options, remove support number. Also we'll go ahead and leave it as other 22, 22. Now the way ranges work in there. And it's sometimes be a little bit confusing because I can say 22 to, let's say 28. Now we're going to actually forward four parts. We're not going to actually do this. But then they see over here, there's only one on the redirect target port. Now the reason there's only one is because that's the starting range on the target port. So if we have these six more ports that we're going over here, well, it'll start here and forward them over. So you actually don't get a range on the redirected port on the device you're targeting. But now we'll go ahead and 10.0.0.100. And we'll just leave this at 22, because we're just getting SSH working. We'll say allow SSH down here, net reflection, use system default. There are a couple different options for net reflection. And you can go into defaults and change these. You can enable net proxy, pure net or disable. What net reflection means is how does this behave when you're inside the network? This is very popular with camera systems where you want to open up a port for camera system. But then you go, Hey, it's not working when I'm inside the network, because I'm still hitting this, you know, public WAN IP address I programmed into the app. But now when it's inside the network, it doesn't redirect. What this does is it redirects you. So it says no, reflect it inward. So even though something's inside the network, let it go ahead and route through the rules and come back. I have mine set up system default because I have it set up for the pure net on there. And if you'd like to set that you go under system advanced firewall net and choose net reflection to pure net. That is where you set the system default. It's in the documentation for PF Sense as well. Now the last option here is add associated filter rule. This is where some firewalls in modern times can annoy me where they don't create a separate rule because yes, there is a separate rule needed. PF Sense has added this for your convenience. The net operation is separate from your firewall rules. That is a fact. And someone will go, of course it works that way. If you're used to using firewalls where you create a net rule, and then you also have to create a rule to allow the traffic to come into the firewall. PF Sense as a convenience does this in one click. So we hit save, we click apply and the associated filter rule will go ahead and edit here. We'll go down and here is view the filter rule, which also are going over to firewall rules at it. So it comes over here and you're seeing where we're allowing a firewall net allow SSH is creating that separate rule. If we go just over to rules and we look at the WAN rules, ignore all the extras on here there for different things we're testing. But you'll see this bottom one that we just added net to allow SSH. So it's adding that filter rule automatically because you have to allow in on WAN. And then when that packet comes in and hits that port, it hits the net rules and redirects to the destination we set up in that. So back here where we have our port forward rule created, I just have a tab open over here because I'm doing a PF top diagnostic where I say host, here's our host address, I want to see anything that's connecting to this address. Currently there are no connections. So let's go ahead and create some and make sure our port forward works. Now referencing back to our diagram, LTS at 192.1683.217, the WAN IP address of our demo firewall. And it works. And if we look over here, we see that, Hey, I just logged into a box that has an IP address of 10, 00, 100, perfect, worked exactly as expected. And we can see these connections established. Now one of the things I want to point out when we establish these connections. So here is my IP address. And the thing to note is that the destination port was 22. And you may have noticed that the source port is something different. So we have 45674 source ports are generated randomly from the outgoing firewalls through the internet, and they land on a specific port. So they may come in indiscriminately. That's why when you're looking at these net rules, and I've seen people sometimes break things like this, you want to limit your source address, but listening limiting a source port requires, well, a little bit of extra because you have to make sure it's only coming from that port. So generally your source port, you're always going to leave, you know, wild carded as an asterisk here, source address is the next thing I want to talk about. Because one of the important things to think when you're doing this is like, well, anyone can now hit this port, it's wide open. This is where you may want to limit your source addresses the way you do that. We're going to go over here to edit, and you look at display advanced. And what is the network we want this to come in on. And you can say any or single host or alias single host is one single host that you want to filter this for. So if we say we can only come in from 3.12 for any other IP address, that would limit the scope to only that IP address and coming in more ideally, we would want to do it this way. So we go here to firewall aliases. And we want to add an IP aliases, hit add allowed in SSH IP address, we'll paste it in there. What's the address we want to allow? Well, we allow my computer in 172 1616 9 times computer. So we're going to add another one. And we'll say what if we wanted to have it from one another computer. Now we've added well as many as we want as we keep clicking add to be able to add these in here. And then we click save. Click apply firewall, Nat, we're going to edit that rule. And we're going to display advanced single host or alias to start typing it will autocomplete go down here to save apply changes. And if we mouse over now the source address instead of displaying one value displays all the values in here. So if we go over here and SSH in, we exit, it works great. So we can go back and forth and say now it's working. Now let's go ahead and update that aliases to show you another condition you may run into, we're going to edit this, we're going to delete Tom, save, apply. No problem, we've got this address rule, let's go ahead and refresh this page. We only allow this particular one in. So we go back over to PF top. And we see a couple connections here from Tom. So let's talk about those connections because they shouldn't exist right now because I have to rule that says Tom can't get in. So it happens. So right now I'm in. I can type top and commands seem to be working. Let's go ahead and exit and see what happens. We've just closed that active state, we're going to jump back in, but we can't. What happens is when you change a rule, but there's already an open state, the default behavior, this can be changed or you can kill the state, the default behavior is to allow states that exist to keep existing. So if you're doing some testing with this and you have an active state open, such as an SSH connection, even though I change the rules, they're not going to just drop off. So now I can't come in. It's not allowing me, but we can go over here, firewall aliases, edit this. We'll add host. I'm dot nine. Save, apply, retry again. Hey, look, I'm in, it works perfectly fine again. So that's how those work in terms of aliases. Now you can use aliases for things like ports. So let's go ahead and look at the net rules here. We want to add another net rule. WAN IPT before TCP. But what if we had a list of custom ports like this, like the Unify controller, there's a popular grouping of ports. And we'll just put that in there for each one of these single hosts, the same post, it's not actually Unify controller, but let's pretend it is for sake of something popular, someone may want to do. Same thing, whether ports Unify controller allow Unify ports. Great. Now we have these ports over here for the Unify controller works the same way. Now, how do we do those? There's over here in alias, we go to ports. Hey, there's all the ports for the Unify controller. Now the other advantage is, of course, I have one, two, three, four different ports in there. What if I needed to change one of these and I had many rules related to port forwarding for a couple of different reasons where, you know, I needed to add or remove a specific port. I could just keep adding or removing them right inside of here. And it's as easy as that to keep control over, you know, things that you want to open up. So it works while they're using IP addresses, it works with these different ports added in here. And I actually, when you have a lot of things you're forwarding, I do prefer to add them all in here. That way as you repeat rules, it just makes a lot easier. And whenever you edit it here, it will automatically apply. That's why when you edit these, it asks you and let's just go ahead and open one up real quick. We added a port, whatever that port is, test, save. When you hit apply here, it's not just applying the alias, it actually is rerunning the filter rules in the background and reapplying them. That way they've all been reworked because they realize there was a change in alias. This alias is used within filter rules. So it actually reloads all the filter rules when you do that. Now let's go back over here to the firewall, and we're going to go ahead and delete this one as we don't need it. But the next question is, how do we build a rule when we have another IP address in our WAN? Now this is going to be obvious if you go here and say, Hey, I can just choose WAN two if it exists. But this at the top says interface. I want to make sure you understand interface is not the same as destination, because destination is WAN address, or WAN two address sounds pretty simple enough. But what about when you have more than one IP address on your WAN? And the way you do that, and I've done talked about this for but just a quick briefer here is you go over here to virtual IPs. We have an extra virtual IP assigned to WAN. It's an IP alias single address. So it's assigned to this interface. And there's the IP address. And it's just another WAN IP. We're going to go back over here to our firewall NAT. And we'll duplicate this rule for simplicity. So interface is the same because it's aliased on that interface. This is where we want to get to the other IP address. And we can add three, five doesn't really matter how many we have. We just have one on here. They would all show up in this list. So 192.168.3.250. Now, we're going to hit save or not apply. So it's sitting here ready, but not applied. Now I want to show you what happens here. So we're going to go ahead and exit this. Then we're going to go ahead and say 250, the other IP address in there. It doesn't work. Just want to make sure despite there being a rule that allows it for the WAN and just generically worded WAN address, even though this is an alias to the WAN, it's not the WAN address. That's an important distinction. So it doesn't automatically work. So we click apply. Now we can see these two different rules, the WAN address, and then the secondary destination address on the WAN. There's the destination. There's the NAT IP internally. So now when we go back over here, logs us right in works perfectly fine. All right, I've deleted that rule. Now let's talk about another scenario. Our destination address being a WAN address, go ahead and click edit. We've deleted that extra one. So let's change it to WAN net as a destination. Now if we do WAN net as a destination, so it's interface WAN, but then WAN net. So everything that's aliased on the WAN net, let's go ahead and click apply. So we only have the one rule here. And if we do this, we go to 3.217. It works. We go to 3.250. It works. If we add more WAN addresses, more aliases, it will continue to work because we're just going on and saying anything that's on that WAN address, go ahead and just allow it to come through. This may not be an ideal situation that you want to do. But for those of you curious of, Hey, this will allow it for all the IP addresses, at least, and maybe your use case is for that, then yes, that will absolutely work. Now one final thing I want to cover that's kind of a novel, but just to show there's more than just ports that can be forwarded through net is ICMP. Maybe you don't have a use case for that, but I think it's novel that this is an ability that's in here is we can ping 192.1683.217, except by default PF sense blocks, ICMP traffic, that can be changed, but we left things at the default behavior. But what if, and we could go over here, and we want to add a rule and we want the WAN IPv4 protocol, though, let's change the protocol. And this is where the few different options we can even do. We have, like I said, these other ones in here, if you needed OSPF to be forwarded to another device, but let's specifically talk about ICMP. Now, there's obviously not as many options. You don't get ports. It's just ICMP traffic, but we can do that where we go 10.0 at 0.100. And we'll say allow ICMP. So pretty simple. Go ahead and hit save, apply. And the pings have started. And we'll go over here back to the PF top. And we can see the ICMP traffic down here coming from my system and going in there. So pretty simple. These are other things you can forward when you're using these. And that's it. That's all I have for port forwarding, but please take the time to read through the NetGate documentation. It is wonderful. It has even more than I covered in here. So there's always a lot of scenarios and maybe some specialized use cases that the scenarios can be helpful in there. Check out my forums, forums.laurencesystems.com for a more in-depth discussion on this topic and, well, any other videos I've covered or head over to the NetGate forums. There's all kinds of information over there on things like, you know, how port forwarding works or certain scenarios that are outside the norm. But what I covered today will cover probably 99% of people's needs when it comes to port forwarding. As always, thanks and see you next time. And thank you for making it all the way to the end of this video. If you've enjoyed the content, please give us a thumbs up. If you would like to see more content from this channel, hit the subscribe button and the bell icon. If you'd like to hire a short project, head over to laurencesystems.com and click the hires button right at the top. To help this channel out in other ways, there's a join button here for YouTube and a Patreon page where your support is greatly appreciated. For deals, discounts and offers, check out our affiliate links in the description of all of our videos, including a link to our shirt store where we have a wide variety of shirts that we sell and designs come out well randomly. So check back frequently. And finally, our forums. Forums.laurencesystems.com is where you can have a more in-depth discussion about this video and other tech topics covered on this channel. Thanks again for watching and look forward to hearing from you.