Port Forwarding with NAT in pfSense

Firewall Configuration: NAT port forwarding

Firewall -> NAT configuration page in the pfSense web GUI.

In computer networking, Network Address Translation (NAT) is the process of modifying IP address information in IPv4 headers while in transit across a traffic routing device. In most cases, it involves translating from the WAN IP address to the 192.168.x.x addresses of your local network. In this article, I will describe how to set up NAT port forwarding.

NAT and firewall rules are distinct and separate. NAT rules forward traffic, while firewall rules block or allow traffic. In the next article, I will cover firewall rules, but for now keep in mind that just because a NAT rule is forwarding traffic does not mean the firewall rules will allow it.

NAT Port Forwarding

NAT port forwarding rules can differ in complexity, but in this example, let’s assume we set up an Apache server at on the local network, and we want to direct all HTTP traffic (port 80) to that address. First, browse to Firewall -> NAT. The options are “Port Forward“, “1:1” and “Outbound“. Select the “Port Forward” tab. Click the “plus” button in order to create a new NAT port forward rule. “Disable the rule” and “No RDR” can be left unchanged. For “Interface” you can choose WAN and LAN; we are concerned about incoming requests from the Internet, so you can keep it as WAN.

For “Protocol”, there are five choices: TCP, UDP, TCP/UDP, GRE, and ESP. TCP stands for Transmission Control Protocol, and is the transport level protocol of the Internet protocol suite. This is usually what we want to use. Next is UDP, or User Datagram Protocol, another transport level protocol which is also part of the Internet protocol suite. It is suitable for purposes where error checking and correction are either not necessary or are performed in the application. GRE stands for Generic Routing Encapsulation, a tunneling protocol that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links. It can be used, among other things, in conjunction with PPTP to create VPNs. ESP stands for Encapsulating Security Payload, a member of the IPsec protocol suite which provides authenticity, integrity and confidentiality protection of packets. In this port forwarding scenario, you can leave the protocol unchanged (TCP).

Firewall Configuration: NAT

Adding a NAT port forwarding rule.

For “Source“, you can specify the allowed client source. Typically you can leave it as “any”, but there are several choices: “Single host or alias“, “Network“, “PPTP clients“, “PPPoE clients“, “L2TP clients“, “WAN subnet“, “WAN address“, “LAN subnet“, and “LAN address“. In this case, you can leave the default (any) unchanged.

For “Source port range“, we want to redirect HTTP traffic (port 80), so choose HTTP for the from and to drop-down boxes. “Destination” offers the same choices as “Source” and can be left unchanged. “Destination port range” should be changed to HTTP for the from and to drop-down boxes. For “Redirect target IP“, specify the web server the traffic to be forwarded to (in our case, For “Redirect target Port“, choose HTTP. Next is “No XMLRPC Sync“; enable this option to prevent this rule from being applied to any redundant firewalls using CARP. This option can be left unchecked now. “NAT Reflection” can be enabled or disabled, usually it is disabled. “Filter Rule association” will automatically create a firewall rule and associate it to this NAT rule. Check this box to avoid having to create a separate firewall rule. Add a description if you wish, and press “Save” to save the changes. The port forwarding rule set up should now be in effect.

NAT Port Redirection

In this case, we passed traffic from port 80 on the source to port 80 on the destination, which is the classic port forwarding scenario. But there’s no reason you can’t redirect traffic to a different port. There are two reasons you might want to do this:

[1] Security: A good way to thwart hackers is to put services on non-standard ports. For example, everyone knows the standard port for FTP is 21, but an outsider is unlikely to find your FTP server if you place it on port 69, or better yet, an even higher port number (e.g. 51782). The same can be said of SSH. Users will have to know the port in order to access it.

[2] Single Public IP Address, more than one computer with the same services: Smaller networks with only a single public IP address may be stuck if the want to expose a lot of public services. For example, imagine that we want to have two separate FTP servers, but on two separate computers. With port redirection, we create two different NAT rules: the first rule will redirect port 51782 to port 21 on FTPServer1, and the second will redirect port 51783 to port 21 on FTPServer2. We can then remote into two separate FTP servers on two different computers using the same IP address.

External Links:

Port Forwarding Troubleshooting at doc.pfsense.org

Be Sociable, Share!


  1. Thе other day, wɦile I was at ѡork, my sister
    stole myy iPadd and tested to see if it can survive a twenty five foߋt drop, just so she can be
    a youtube sensation. My iPad is now destroyed aand ѕhe has 83 views.
    I know this is completely off topic but I had too sharе it with someߋոe!

  2. Est-il possible de vous emprunter deux ou trois phrases sur mon site web perso

  3. Nice post. I learn something totally new and challenging on websites I stumbleupon every day.
    It will always be useful to read through articles from other authors
    and use a little something from their web sites.

  4. Howdy! This article couldn’t be written any better!
    Going through this post reminds me of my previous roommate!

    He continually kept talking about this. I am going to send this information to
    him. Fairly certain he’s going to have a very good read.
    Many thanks for sharing!

  5. Ces posts sont réellement intéressants

  6. Je vois de suite que vous maîtrisez bien ce que vous dites

  7. I like your explanation of NAT as forwarding and Firewall as block or unblock, helped me finally understand it better.

  8. Voѕ articleѕ sont clairement passionnants

  9. Je me permets de publier ce commentaire uniquement pour
    remercier le webmaster

  10. Douglas G. Oechsler says:

    How are you?

    I have the Static IP. (inside internet) Is it possible to make NAT to private network?
    For example:
    I want redirect the static IP for a private FTP network. The FTP server is work well but, only private net. I want the people access the static IP then access ftp private server about Nat.
    How Can I Configure about right form?

    sorry my English and thanks your attention.

    Douglas G. Oechsler

  11. Fantrastic goods from you, man. I’ve be awaree your stuff previous to and you’re just too excellent.
    I really like what you have obtained right here, certainly
    lioe what you’re saying and the waay during which you say it.
    You make it entertaining and you continue to tae care of to
    stayy it sensible. I can not waiit too learn far more from you.
    This is really a wonderful site.

  12. But if not then restart your computer screen saying were sorry, Facebook, Twitter and also
    for all other social networking sites. We can unblock proxy YouTube by using any
    proxy server which bring you your unblock youtube desire restricted websites.
    Proxy server gives you a text box where you want to access restricted social websites like Skype, VoIP, YouTube,
    AIM, P2P etc. But beside all these websites we need to use a VPN you have to do business from home, ability to unblock
    and view.

  13. always i used to read smaller articles which as well clear their
    motive, and that is also happening with this post which
    I am reading here.

  14. It’s іn fact ᴠery complex in thiѕ active life to listen news on Television, thus I just use web for that reason, and get the most up-to-date news.

  15. Great post.

  16. Somᥱbody necessarily assist to make criticaⅼly articles I might state.

    TҺat is thᥱ first time I frequented your website page and up
    to now? I amazed with the reseаrch you made to create thіs actual submit amazing.

    Magnificent process!

  17. Ԍreetings from Іdaho! I’m bߋred to death at work so I decided tօ bгowse yⲟur website on my iphоne duгing lunch break.
    I love the infⲟ yoս provide here and can’t wait to
    take a look when ӏ get home. I’m amɑzed at how fast your ƅlog loaded on my mobile ..
    I’m not even using WIFI, just 3G .. Anyաays, amazing site!

  18. I Һave been surfing on-lіne more than 3 hours as of late, ƅut I by no means disсovered any attention-ցrɑbbing
    article like yours. It is beautiful price enough for me.
    Perѕonally, if all webmasters and bloǥgers made good cοntent material as you did, thе net will likely be
    much more useful than evеr before.


  1. […] the previous article about NAT port forwarding, we used “Add associated filter rule” in order to generate the firewall rule for the […]

  2. […] a previous article, I described how to configure port forwarding in pfSense. But what if port forwarding could be done automatically? That is the object of the Universal Plug […]

  3. […] Delete any existing FTP ort forwards or firewall rules and add new port forwarding and firewall rules for the destination port 21 and the destination private NAT IP address. For more information on port forwarding with NAT, see my earlier posting on NAT/port forwarding. […]

  4. zojirushi rice cooker 10 cup…

    Port Forwarding with NAT in pfSense – pfSense Setup HQ…

Speak Your Mind


© 2013 David Zientara. All rights reserved. Privacy Policy