NAT and Firewall Advanced Options in pfSense

In this article, I will cover some additional advanced settings available for firewall and NAT, which you can find by navigating to System -> Advanced and clicking on the “Firewall/NAT” tab.

Firewall Advanced Options


Advanced firewall and NAT options in pfSense.

Under “Firewall Advanced”, you will find the “Bypass firewall rules for traffic on the same interface” check box. This option applies only if you have defined one or more static routes (and presumably, at least one gateway; I covered configuring static routes in a previous article). If multiple subnets are connected to the same interface (e.g., if you divide the LAN into two or more separate subnets), using this option may be advantageous.

Next is the “Disable all auto-added VPN rules” check box. Checking this will disable any rules automatically added when a VPN was created. Next is the “Disable reply-to on WAN rules” check box. With Multi-WAN, you generally want to ensure traffic leaves the same interface it arrives on. Hence, reply-to is added automatically by default. When using bridging (or 1:1 NAT port forwarding with multiple interfaces), you must disable this behavior (by checking this box) if the WAN gateway IP is different from the gateway IP of the hosts behind the bridged interface. Finally, there is the “Disable Negate rule on policy routing rules” check box. With Multi-WAN, you generally want to ensure traffic reaches directly connected networks and VPN networks when using policy routing. You can disable this for special purposes (by checking this box), but it requires manually creating rules for this network.

NAT Advanced Options

The next section is “Network Address Translation”. The first option is the “Disable NAT Reflection for port forwards” check box. With NAT reflection, packets from internal networks that are addressed to the network’s public IP address will be treated as if they are coming from from the WAN interface. The router’s port forwarding rules will then determine where the packets go. Checking this box disables the automatic creation of additional NAT redirect rules for access to port forwards on your external IP addresses from within your internal networks.

Next is “Reflection Timeout“. This edit box allows you to set a NAT reflection timeout in seconds. The next option is the “NAT Reflection for 1:1 check box“. Checking this disables the automatic creation of additional NAT 1:1 mappings for access to 1:1 mappings of your external IP addresses from within your internal networks. The next check box is “Automatically create outbound NAT rules which assist inbound NAT rules that direct traffic back out to the same subnet it originated from.” This only applies to 1:1 NAT rules, and is helpful when NAT reflection is enabled.

The last option is “TFTP Proxy“. You can click on an interface listed (hold down SHIFT to select multiple interfaces) to enable TFTP proxy on the interface. Since TFTP is considered to be a security risk (no security or authentication is provided by the protocol specification), this option should only be enabled if absolutely necessary. Finally, click on “Save” to save the changes.

Other articles in this series:

webConfigurator options in pfSense

Admin Access Options in pfSense

Firewall Advanced Options in pfSense

External Links:

Network Address Translation at Wikipedia

Be Sociable, Share!

Speak Your Mind


© 2013 David Zientara. All rights reserved. Privacy Policy