I am trying to forward SSH traffic on incoming port 2200 to port 22 on say the LAN IP address of 10.1.2.3 (just an example). I am also using HAPROXY for forwarding web traffic (based on public DNS records for sub domains like a.test.com) to some LAN servers (to control ProxMox or other things with web consoles). Do I need to enter a firewall NAT rule to do this or should it be handled as a forward within HAPROXY?
It does seem like the firewall NAT rule is not working (I used the pfSense cookbook 2.0 to try to understand how to instantiate the firewall NAT rule).
Sounds like you need port forwarding, I have a video here on that:
Tom, et alia:
Your video was perfectly instructive concerning port forwarding (though it indeed was what I had already tried). However, your video also spoke to aliases which poked my curiosity. After going into the alias menu I took notice of the fact that at some point long before engaging in my technical quest to appoint the functionality I currently seek, placed some half entered alias in my configuration (I have no recall of why I ever thought I had reason to do such a thing). However, succeeding it’s extirpation from the configuration of my pfSense instance the port forwarding began to function flawlessly. Thereafter, I added several port forwards for different servers, though it still bothered me that I’d have to remember server1 was port 2200, server2 was port 2201, server3 was port 2202, etc…
However, feeling impelled to make this even yet simpler, I started to conduct more research concerning SSH proxying. There are some rather clever methodologies to substantiate such a practice in concert with leveraging HAPROXY. However, eventually I realized that I could use an ssh command line construction (“ssh -J”) in pursuance of achieving the same functionality. By using ssh -J firstname.lastname@example.org user@secondary-server-domain (and having properly installed SSH keys) the entire procedure could be far less painful (and require no extra configuration of pfSense as I had done previously). Additionally, domains or IP addresses work and depending on the placement of an appropriate entry in the local SSH config file on the system initiating the ssh command, it is possible to have commands like “ssh barney” to achieve “ssh -J fred@wilma betty@barney”.
It is worthy of notation that I do find your videos powerfully instructive (I have viewed a number of them in precedence to posting here) and I will surely start to “thumb them up” more. I have to admit, you are the first person I’ve ever listened to that (I presume) was raised in the US and speaks with a very,very brisk cadence! Whilst this does impel me to replay excerpts of your video disquisitions some several times in order to acquire their full meaning and context, I mean nothing derisive in saying this at all. In fact, given the granularity of some of the subject matter, I might be doing that (even if you spoke more slowly) in order to assure I ascertain the full meaning of the pfSense concepts you are proselytizing!
My iPhone is always receiving texts and notifications of one sort or another, so I am a bit nervous to add more by subscribing to Youtube publishers. However, if I could have a manner by which I could subscribe to a Youtube channel and limit when the notices would arrive (say between 12 and 3PM on Sunday), then I’d be subscribed to far more increased quantity of Youtube channels. If you have a pathway for bubbling such a suggestion up to the powers that be at Google, I’d surely encourage you to do so in no uncertain terms with all possible alacrity.
Tom, et alia,
Further illumination of the aforementioned subjects can be acquired from the URLs as follow hereupon: