Port Forwarding in pfSense - How to Configure NAT
In this hub I'll be showing you how to set up port forwarding or NAT on your pfSense router.
Port forwarding is used when you need to allow users outside of your network to access services on your internal network. For example if you have a web server running on a machine inside your network you would need to forward port 80 (HTTP) to the computer running the web server.
If your computer has a public IP address then you won't need to worry about port forwarding. Since most computers use private IP addresses they require port forwarding to expose internal services to the internet.
Other uses for port forwarding
- Hosting public game servers
- Remote Desktop (RDP)
- Bit Torrent
Determine the Port Number and IP Address
Before you can create your NAT rule you will need to know two things, the port number of the application, and the IP address of the computer running the service.
If you are running a well known service finding the port number is pretty easy to do. Usually you can search Google and find it pretty easily. Another method is to run a packet sniffer such as Wireshark or Tcpdump to find the port number yourself.
There are a number of ways you can find the IP address of a machine on your network. If you are running windows the easiest way to find the IP address is by running ipconfig from a command prompt. On a Linux machine you can run ifconfig to find the IP.
When you are setting up a NAT rule it's best to make sure the computer running the service you want to expose is on a static IP address. If the machine is on DHCP it could obtain a different IP address and the associated NAT rule would no longer work. If you have to use DHCP you can set up a DHCP reservation so it will stay on the same IP address.
Common Ports to Forward
RDP (Remote Desktop)
FTP (File Transfer Protocol)
21/20 (Active FTP)
SSH (Secure Shell)
DNS (Domain Name Service)
HTTPS (Secure HTTP)
Connect to the Web Gui
To setup your NAT rule you'll need to connect to the web interface of your pfSense router. To do this enter the IP address of your pfSense box in the address bar of your browser.
The default username is admin, and the default password is pfsense.
Create the NAT Rule
To set up port forwarding click on NAT from the Firewall menu in pfSense. On the upper right hand side click the plus symbol to create a new rule. This will open up the NAT rule editor.
If you need to edit an existing rule click the "e" next to the rule you want to change. Clicking the "x" will delete the rule.
In this example I'm going to show you how to create a rule to forward port 80 (HTTP) to a computer on your network. You can change the port and IP address depending on what you need to accomplish.
- In the protocol drop down box make sure TCP is selected.
- In the destination port range enter 80 in the "from" box, the "to" box can be left when you're forwarding a single port
- Enter the IP address of the computer running the web server in the redirect target IP box.
- Enter 80 in the redirect target port field.
- Click on save, and then click apply changes.
That's it, now when the pfSense router receives a packet destined for port 80 it will be forwarded to the internal IP address of the web server.
Explaining the options
The above example was a very simple one but there are many different options that can be used to create more complicated NAT rules. This section some of the common settings you might need to use.
In most situations you won't need to worry about most of these so don't let them intimidate you!
- Disabled - Checking this box allows you to turn off the rule without deleting it.
- No RDR (No NAT)- Disables redirection negating the rule. Useful for filtering out certain port ranges from a transparent proxy.
- Interface - Determines which interface the rule applies to. Typically this will be WAN unless you have multiple internet connections or are load balancing.
- Protocol - The NAT rule will only match packets that match the selected protocol. Generally the protocol will be either TCP, UDP, or both. If you're unsure select TCP/UDP.
- Source - This option allows your NAT rule to match packets from a specific source address or network. If you don't select a source the rule will match traffic from any address.
- Destination - Match packets with a specific destination address. In most cases this will be set to WAN. If you have a multi-wan router you might select OPT1 here.
- Destination port range - This option lets you forward a range of ports to the same IP address instead of creating separate rules.
- Redirect target IP - This is interal IP address the ports should be forwarded to.
- Description - I recommend entering a comment about what this rule is used for incase you forget later. Eg: FTP Server
- No XMLRPC Sync - When this box is checked the NAT rule will not be sycned to other CARP members if they are configured. CARP stands for Common Address Redundancy Protocol.
- NAT reflection - Enabling this option allows you to access a service internally using the public IP address of the pfSense system. By default you would only be able to access the service on the internal IP. Most routers/firewalls do not allow you to traverse interfaces.
- Filter rule association - This option allows a NAT rule to be linked to a firewall rule. I recommend leaving it on "create new associated filter rule", this will save you the trouble of having to create a firewall rule yourself.
How to Test Port Forwarding
Once you have created your port forwarding rule you should test it to make sure it's working properly. If you have access to a computer outside your network you could simply try to access to remote service that you configured.
Unless you enabled NAT reflection you won't be able to test the service from inside your network. Eg: you can't access <your-public-IP>:port from behind the pfSense router.
One of the easiest ways to test your NAT rule is to use an online port checker. The online utilities will detect your public IP address automatically so you only need to enter the port number that you want to test.
If the port checker can connect to the port then you have successfully configured NAT!
© 2011 Sam Kear