Port Forwarding in pfSense - How to Configure NAT

Updated on January 15, 2018
skear profile image

Sam works as a Network Analyst for an algorithmic trading firm. He obtained his Bachelors Degree in Information Technology from UMKC.

In this hub I'll be showing you how to set up port forwarding or NAT on your pfSense router.

Port forwarding is used when you need to allow users outside of your network to access services on your internal network. For example if you have a web server running on a machine inside your network you would need to forward port 80 (HTTP) to the computer running the web server.

If your computer has a public IP address then you won't need to worry about port forwarding. Since most computers use private IP addresses they require port forwarding to expose internal services to the internet.

Other uses for port forwarding

  • Hosting public game servers
  • FTP
  • Remote Desktop (RDP)
  • Bit Torrent
  • SSH

Determine the Port Number and IP Address

Before you can create your NAT rule you will need to know two things, the port number of the application, and the IP address of the computer running the service.

If you are running a well known service finding the port number is pretty easy to do. Usually you can search Google and find it pretty easily. Another method is to run a packet sniffer such as Wireshark or Tcpdump to find the port number yourself.

There are a number of ways you can find the IP address of a machine on your network. If you are running windows the easiest way to find the IP address is by running ipconfig from a command prompt. On a Linux machine you can run ifconfig to find the IP.

When you are setting up a NAT rule it's best to make sure the computer running the service you want to expose is on a static IP address. If the machine is on DHCP it could obtain a different IP address and the associated NAT rule would no longer work. If you have to use DHCP you can set up a DHCP reservation so it will stay on the same IP address.

Common Ports to Forward

Port Number
RDP (Remote Desktop)
FTP (File Transfer Protocol)
21/20 (Active FTP)
SSH (Secure Shell)
DNS (Domain Name Service)
HTTP (Web)
Bit Torrent
Common services that you may need to set up port forwarding for.

Connect to the Web Gui

To setup your NAT rule you'll need to connect to the web interface of your pfSense router. To do this enter the IP address of your pfSense box in the address bar of your browser.

The default username is admin, and the default password is pfsense.

pfSense Web GUI
pfSense Web GUI

Create the NAT Rule

To set up port forwarding click on NAT from the Firewall menu in pfSense. On the upper right hand side click the plus symbol to create a new rule. This will open up the NAT rule editor.

If you need to edit an existing rule click the "e" next to the rule you want to change. Clicking the "x" will delete the rule.

Creating a NAT rule in the web GUI
Creating a NAT rule in the web GUI

Example Rule

In this example I'm going to show you how to create a rule to forward port 80 (HTTP) to a computer on your network. You can change the port and IP address depending on what you need to accomplish.

  1. In the protocol drop down box make sure TCP is selected.
  2. In the destination port range enter 80 in the "from" box, the "to" box can be left when you're forwarding a single port
  3. Enter the IP address of the computer running the web server in the redirect target IP box.
  4. Enter 80 in the redirect target port field.
  5. Click on save, and then click apply changes.

That's it, now when the pfSense router receives a packet destined for port 80 it will be forwarded to the internal IP address of the web server.

Editing the NAT rule
Editing the NAT rule
Click "Apply changes" to finish creating the rule.
Click "Apply changes" to finish creating the rule.

Explaining the options

The above example was a very simple one but there are many different options that can be used to create more complicated NAT rules. This section some of the common settings you might need to use.

In most situations you won't need to worry about most of these so don't let them intimidate you!

  • Disabled - Checking this box allows you to turn off the rule without deleting it.
  • No RDR (No NAT)- Disables redirection negating the rule. Useful for filtering out certain port ranges from a transparent proxy.
  • Interface - Determines which interface the rule applies to. Typically this will be WAN unless you have multiple internet connections or are load balancing.
  • Protocol - The NAT rule will only match packets that match the selected protocol. Generally the protocol will be either TCP, UDP, or both. If you're unsure select TCP/UDP.
  • Source - This option allows your NAT rule to match packets from a specific source address or network. If you don't select a source the rule will match traffic from any address.
  • Destination - Match packets with a specific destination address. In most cases this will be set to WAN. If you have a multi-wan router you might select OPT1 here.
  • Destination port range - This option lets you forward a range of ports to the same IP address instead of creating separate rules.
  • Redirect target IP - This is interal IP address the ports should be forwarded to.
  • Description - I recommend entering a comment about what this rule is used for incase you forget later. Eg: FTP Server
  • No XMLRPC Sync - When this box is checked the NAT rule will not be sycned to other CARP members if they are configured. CARP stands for Common Address Redundancy Protocol.
  • NAT reflection - Enabling this option allows you to access a service internally using the public IP address of the pfSense system. By default you would only be able to access the service on the internal IP. Most routers/firewalls do not allow you to traverse interfaces.
  • Filter rule association - This option allows a NAT rule to be linked to a firewall rule. I recommend leaving it on "create new associated filter rule", this will save you the trouble of having to create a firewall rule yourself.

How to Test Port Forwarding

Once you have created your port forwarding rule you should test it to make sure it's working properly. If you have access to a computer outside your network you could simply try to access to remote service that you configured.

Unless you enabled NAT reflection you won't be able to test the service from inside your network. Eg: you can't access <your-public-IP>:port from behind the pfSense router.

One of the easiest ways to test your NAT rule is to use an online port checker. The online utilities will detect your public IP address automatically so you only need to enter the port number that you want to test.

If the port checker can connect to the port then you have successfully configured NAT!

This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters.

© 2011 Sam Kear


    0 of 8192 characters used
    Post Comment
    • profile image


      2 years ago


      I connect open vpn server (centos vps) via pfsense. How do I connect 10000:20000 port from Outside network? I have no public ip, so i use vps for openvpn server.

    • profile image

      Varma Adduri 

      3 years ago

      Hi Sam,

      How can I port forward to a OpenVPN Client. for ex.

      My local pfsense network is 1.0/24

      My openvpn client connected to pfsense and it is allocated with ip 12.99

      how can i port forward 8080 from public net to 12.99:8080

      Please suggest.


    • profile image

      John R 

      3 years ago


      You have no idea how many hours I have struggled with Port Forwarding in pfsense as a new user!!

      I want to pass port 82 through to port 182 on a local server.

      The key is "Filter Rule Association : create new associated filter rule" ....

      What I didn't expect is that created rule is on the 182 port - this means the Firewall is logically AFTER the port forward - whereas as I would have thought (if any additional firewall rule was necessary) it would have been to open 82.

      Well you live and learn.....

      I wonder how many of the persons writing above, and new users of pfsense, have this problem.

      Thus, the only improvement to this article I could suggest, is a bold comment that a port forwarding rule is not in itself sufficient - a firewall rule is also required on the redirected port!! Very different to my experience with Netgear, Dlink and TpLink routers I have used in the past.



    • profile image


      3 years ago

      Hi Dear Skear . I need your help, I run public ips in LAN and have one public ip with gateway in wan . but i dont know how to configuring NAT in pfsense that clients can access internet.

    • skear profile imageAUTHOR

      Sam Kear 

      4 years ago from Kansas City

      @Omar Yes the same method can be used for making your DVR accessible from the internet. You would just need to determine which port the service uses and forward that port to the IP address of the DVR.

    • profile image


      4 years ago

      hi sir, can i use this method for cctv dvr port forwarding to be able to see my dvr online?

    • skear profile imageAUTHOR

      Sam Kear 

      5 years ago from Kansas City

      Hi Azeem,

      You would simply need to create a port forwarding rule to forward port 80 to and it will then be accessible from outside your network.

    • profile image


      5 years ago

      Hi ,

      I need your help.can any body have any idea about my question?

      i host a website on my local machine(ip and now i want to access website from the out side of my network with my pfsense live up.?

      any idea

    • skear profile imageAUTHOR

      Sam Kear 

      5 years ago from Kansas City


      With NAT you can only forward port 80 to a single IP address inside your network. The solution to hosting multiple web servers with NAT is to either setup virtual hosts on your webserver, or create a reverse proxy that can multiplex requests for different domains to the correct web server.

    • profile image


      6 years ago

      Hi all your guides are great but i have a problem. If i port forward port 21 to my ftp server (passive) everything connecting from outside to the ftp works okay. If i forward another port like 55234 redirecting it to port 21 of the ftp server lan address passive mode does not work correctly from outside the lan. I know that pfsense has an ftp proxy helper, could it be that it works only when the port fortwared is only to port 21 ?

    • profile image


      7 years ago


      Great post.

      I would like to ask a question how can I implement the firewall when trying to simulate different NAT connections (Port-Restricted, Restricted-cone).

      How can I use This great firewall in simulating NAT, of course using Vmware machine? Which topology should I use?


    • profile image


      7 years ago

      Thank you a great topic.....

    • profile image

      V for Verdana 

      8 years ago


      nice to see someone writing a hub that's for the tech-head and not just another article about making cupcakes. Unless cupcake is some protocol?

    • profile image


      8 years ago

      thanks for the guide. can you allow all ports except 21 and 22?

    • Gean Paul Tura profile image

      Gean Paul Tura 

      8 years ago from Philippines

      This is a great hub! Helps a lot to access my Internet cafe management software when I'm mobile! Keep up the good job Sam!


    This website uses cookies

    As a user in the EEA, your approval is needed on a few things. To provide a better website experience, turbofuture.com uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

    For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at: https://maven.io/company/pages/privacy

    Show Details
    HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
    LoginThis is necessary to sign in to the HubPages Service.
    Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
    AkismetThis is used to detect comment spam. (Privacy Policy)
    HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
    HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
    Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
    CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
    Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the googleapis.com or gstatic.com domains, for performance and efficiency reasons. (Privacy Policy)
    Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
    Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
    Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
    Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
    Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
    VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
    PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
    Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
    MavenThis supports the Maven widget and search functionality. (Privacy Policy)
    Google AdSenseThis is an ad network. (Privacy Policy)
    Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
    Index ExchangeThis is an ad network. (Privacy Policy)
    SovrnThis is an ad network. (Privacy Policy)
    Facebook AdsThis is an ad network. (Privacy Policy)
    Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
    AppNexusThis is an ad network. (Privacy Policy)
    OpenxThis is an ad network. (Privacy Policy)
    Rubicon ProjectThis is an ad network. (Privacy Policy)
    TripleLiftThis is an ad network. (Privacy Policy)
    Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
    Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
    Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
    Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
    ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
    Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)
    ClickscoThis is a data management platform studying reader behavior (Privacy Policy)