Sam works as a network analyst for an algorithmic trading firm. He obtained his bachelor's degree in information technology from UMKC.
In this hub I'll be showing you how to set up port forwarding or NAT on your pfSense router.
Port forwarding is used when you need to allow users outside of your network to access services on your internal network. For example if you have a web server running on a machine inside your network you would need to forward port 80 (HTTP) to the computer running the web server.
If your computer has a public IP address then you won't need to worry about port forwarding. Since most computers use private IP addresses they require port forwarding to expose internal services to the internet.
Other uses for port forwarding
- Hosting public game servers
- Remote Desktop (RDP)
- Bit Torrent
Determine the Port Number and IP Address
Before you can create your NAT rule you will need to know two things, the port number of the application, and the IP address of the computer running the service.
If you are running a well known service finding the port number is pretty easy to do. Usually you can search Google and find it pretty easily. Another method is to run a packet sniffer such as Wireshark or Tcpdump to find the port number yourself.
There are a number of ways you can find the IP address of a machine on your network. If you are running windows the easiest way to find the IP address is by running ipconfig from a command prompt. On a Linux machine you can run ifconfig to find the IP.
When you are setting up a NAT rule it's best to make sure the computer running the service you want to expose is on a static IP address. If the machine is on DHCP it could obtain a different IP address and the associated NAT rule would no longer work. If you have to use DHCP you can set up a DHCP reservation so it will stay on the same IP address.
Common Ports to Forward
RDP (Remote Desktop)
FTP (File Transfer Protocol)
21/20 (Active FTP)
SSH (Secure Shell)
DNS (Domain Name Service)
HTTPS (Secure HTTP)
Connect to the Web Gui
To setup your NAT rule you'll need to connect to the web interface of your pfSense router. To do this enter the IP address of your pfSense box in the address bar of your browser.
The default username is admin, and the default password is pfsense.
Create the NAT Rule
To set up port forwarding click on NAT from the Firewall menu in pfSense. On the upper right hand side click the plus symbol to create a new rule. This will open up the NAT rule editor.
If you need to edit an existing rule click the "e" next to the rule you want to change. Clicking the "x" will delete the rule.
In this example I'm going to show you how to create a rule to forward port 80 (HTTP) to a computer on your network. You can change the port and IP address depending on what you need to accomplish.
- In the protocol drop down box make sure TCP is selected.
- In the destination port range enter 80 in the "from" box, the "to" box can be left when you're forwarding a single port
- Enter the IP address of the computer running the web server in the redirect target IP box.
- Enter 80 in the redirect target port field.
- Click on save, and then click apply changes.
That's it, now when the pfSense router receives a packet destined for port 80 it will be forwarded to the internal IP address of the web server.
Explaining the options
The above example was a very simple one but there are many different options that can be used to create more complicated NAT rules. This section some of the common settings you might need to use.
In most situations you won't need to worry about most of these so don't let them intimidate you!
- Disabled - Checking this box allows you to turn off the rule without deleting it.
- No RDR (No NAT)- Disables redirection negating the rule. Useful for filtering out certain port ranges from a transparent proxy.
- Interface - Determines which interface the rule applies to. Typically this will be WAN unless you have multiple internet connections or are load balancing.
- Protocol - The NAT rule will only match packets that match the selected protocol. Generally the protocol will be either TCP, UDP, or both. If you're unsure select TCP/UDP.
- Source - This option allows your NAT rule to match packets from a specific source address or network. If you don't select a source the rule will match traffic from any address.
- Destination - Match packets with a specific destination address. In most cases this will be set to WAN. If you have a multi-wan router you might select OPT1 here.
- Destination port range - This option lets you forward a range of ports to the same IP address instead of creating separate rules.
- Redirect target IP - This is interal IP address the ports should be forwarded to.
- Description - I recommend entering a comment about what this rule is used for incase you forget later. Eg: FTP Server
- No XMLRPC Sync - When this box is checked the NAT rule will not be sycned to other CARP members if they are configured. CARP stands for Common Address Redundancy Protocol.
- NAT reflection - Enabling this option allows you to access a service internally using the public IP address of the pfSense system. By default you would only be able to access the service on the internal IP. Most routers/firewalls do not allow you to traverse interfaces.
- Filter rule association - This option allows a NAT rule to be linked to a firewall rule. I recommend leaving it on "create new associated filter rule", this will save you the trouble of having to create a firewall rule yourself.
How to Test Port Forwarding
Once you have created your port forwarding rule you should test it to make sure it's working properly. If you have access to a computer outside your network you could simply try to access to remote service that you configured.
Unless you enabled NAT reflection you won't be able to test the service from inside your network. Eg: you can't access <your-public-IP>:port from behind the pfSense router.
One of the easiest ways to test your NAT rule is to use an online port checker. The online utilities will detect your public IP address automatically so you only need to enter the port number that you want to test.
If the port checker can connect to the port then you have successfully configured NAT!
This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters.
© 2011 Sam Kear
Shetu on April 02, 2018:
I connect open vpn server (centos vps) via pfsense. How do I connect 10000:20000 port from Outside network? I have no public ip, so i use vps for openvpn server.
Varma Adduri on January 10, 2017:
How can I port forward to a OpenVPN Client. for ex.
My local pfsense network is 1.0/24
My openvpn client connected to pfsense and it is allocated with ip 12.99
how can i port forward 8080 from public net to 12.99:8080
John R on December 17, 2016:
You have no idea how many hours I have struggled with Port Forwarding in pfsense as a new user!!
I want to pass port 82 through to port 182 on a local server.
The key is "Filter Rule Association : create new associated filter rule" ....
What I didn't expect is that created rule is on the 182 port - this means the Firewall is logically AFTER the port forward - whereas as I would have thought (if any additional firewall rule was necessary) it would have been to open 82.
Well you live and learn.....
I wonder how many of the persons writing above, and new users of pfsense, have this problem.
Thus, the only improvement to this article I could suggest, is a bold comment that a port forwarding rule is not in itself sufficient - a firewall rule is also required on the redirected port!! Very different to my experience with Netgear, Dlink and TpLink routers I have used in the past.
omid on November 16, 2016:
Hi Dear Skear . I need your help, I run public ips in LAN and have one public ip with gateway in wan . but i dont know how to configuring NAT in pfsense that clients can access internet.
Sam Kear (author) from Kansas City on October 06, 2015:
@Omar Yes the same method can be used for making your DVR accessible from the internet. You would just need to determine which port the service uses and forward that port to the IP address of the DVR.
Omar on October 05, 2015:
hi sir, can i use this method for cctv dvr port forwarding to be able to see my dvr online?
Sam Kear (author) from Kansas City on May 19, 2015:
You would simply need to create a port forwarding rule to forward port 80 to 192.168.0.5 and it will then be accessible from outside your network.
Azeem on May 17, 2015:
I need your help.can any body have any idea about my question?
i host a website on my local machine(ip 192.168.0.5) and now i want to access website from the out side of my network with my pfsense live up.?
Sam Kear (author) from Kansas City on December 14, 2014:
With NAT you can only forward port 80 to a single IP address inside your network. The solution to hosting multiple web servers with NAT is to either setup virtual hosts on your webserver, or create a reverse proxy that can multiplex requests for different domains to the correct web server.
andrew on December 14, 2013:
Hi all your guides are great but i have a problem. If i port forward port 21 to my ftp server (passive) everything connecting from outside to the ftp works okay. If i forward another port like 55234 redirecting it to port 21 of the ftp server lan address passive mode does not work correctly from outside the lan. I know that pfsense has an ftp proxy helper, could it be that it works only when the port fortwared is only to port 21 ?
Eldad on January 20, 2013:
I would like to ask a question how can I implement the firewall when trying to simulate different NAT connections (Port-Restricted, Restricted-cone).
How can I use This great firewall in simulating NAT, of course using Vmware machine? Which topology should I use?
Raafat on January 12, 2013:
Thank you a great topic.....
V for Verdana on November 22, 2011:
nice to see someone writing a hub that's for the tech-head and not just another article about making cupcakes. Unless cupcake is some protocol?
Kim on November 13, 2011:
thanks for the guide. can you allow all ports except 21 and 22?
Gean Paul Tura from Philippines on August 21, 2011:
This is a great hub! Helps a lot to access my Internet cafe management software when I'm mobile! Keep up the good job Sam!