Port Forwarding in pfSense - How to Configure NAT

In this hub I'll be showing you how to set up port forwarding or NAT on your pfSense router.

Port forwarding is used when you need to allow users outside of your network to access services on your internal network. For example if you have a web server running on a machine inside your network you would need to forward port 80 (HTTP) to the computer running the web server.

If your computer has a public IP address then you won't need to worry about port forwarding. Since most computers use private IP addresses they require port forwarding to expose internal services to the internet.

Other uses for port forwarding

  • Hosting public game servers
  • FTP
  • Remote Desktop (RDP)
  • Bit Torrent
  • SSH

Determine the Port Number and IP Address

Before you can create your NAT rule you will need to know two things, the port number of the application, and the IP address of the computer running the service.

If you are running a well known service finding the port number is pretty easy to do. Usually you can search Google and find it pretty easily. Another method is to run a packet sniffer such as Wireshark or Tcpdump to find the port number yourself.

There are a number of ways you can find the IP address of a machine on your network. If you are running windows the easiest way to find the IP address is by running ipconfig from a command prompt. On a Linux machine you can run ifconfig to find the IP.

When you are setting up a NAT rule it's best to make sure the computer running the service you want to expose is on a static IP address. If the machine is on DHCP it could obtain a different IP address and the associated NAT rule would no longer work. If you have to use DHCP you can set up a DHCP reservation so it will stay on the same IP address.

Common Ports to Forward

Port Number
RDP (Remote Desktop)
FTP (File Transfer Protocol)
21/20 (Active FTP)
SSH (Secure Shell)
DNS (Domain Name Service)
HTTP (Web)
Bit Torrent
Common services that you may need to set up port forwarding for.
pfSense Web GUI
pfSense Web GUI

Connect to the Web Gui

To setup your NAT rule you'll need to connect to the web interface of your pfSense router. To do this enter the IP address of your pfSense box in the address bar of your browser.

The default username is admin, and the default password is pfsense.

Creating a NAT rule in the web GUI
Creating a NAT rule in the web GUI

Create the NAT Rule

To set up port forwarding click on NAT from the Firewall menu in pfSense. On the upper right hand side click the plus symbol to create a new rule. This will open up the NAT rule editor.

If you need to edit an existing rule click the "e" next to the rule you want to change. Clicking the "x" will delete the rule.

Editing the NAT rule
Editing the NAT rule

Example Rule

In this example I'm going to show you how to create a rule to forward port 80 (HTTP) to a computer on your network. You can change the port and IP address depending on what you need to accomplish.

  1. In the protocol drop down box make sure TCP is selected.
  2. In the destination port range enter 80 in the "from" box, the "to" box can be left when you're forwarding a single port
  3. Enter the IP address of the computer running the web server in the redirect target IP box.
  4. Enter 80 in the redirect target port field.
  5. Click on save, and then click apply changes.

That's it, now when the pfSense router receives a packet destined for port 80 it will be forwarded to the internal IP address of the web server.

Click "Apply changes" to finish creating the rule.
Click "Apply changes" to finish creating the rule.

Explaining the options

The above example was a very simple one but there are many different options that can be used to create more complicated NAT rules. This section some of the common settings you might need to use.

In most situations you won't need to worry about most of these so don't let them intimidate you!

  • Disabled - Checking this box allows you to turn off the rule without deleting it.
  • No RDR (No NAT)- Disables redirection negating the rule. Useful for filtering out certain port ranges from a transparent proxy.
  • Interface - Determines which interface the rule applies to. Typically this will be WAN unless you have multiple internet connections or are load balancing.
  • Protocol - The NAT rule will only match packets that match the selected protocol. Generally the protocol will be either TCP, UDP, or both. If you're unsure select TCP/UDP.
  • Source - This option allows your NAT rule to match packets from a specific source address or network. If you don't select a source the rule will match traffic from any address.
  • Destination - Match packets with a specific destination address. In most cases this will be set to WAN. If you have a multi-wan router you might select OPT1 here.
  • Destination port range - This option lets you forward a range of ports to the same IP address instead of creating separate rules.
  • Redirect target IP - This is interal IP address the ports should be forwarded to.
  • Description - I recommend entering a comment about what this rule is used for incase you forget later. Eg: FTP Server
  • No XMLRPC Sync - When this box is checked the NAT rule will not be sycned to other CARP members if they are configured. CARP stands for Common Address Redundancy Protocol.
  • NAT reflection - Enabling this option allows you to access a service internally using the public IP address of the pfSense system. By default you would only be able to access the service on the internal IP. Most routers/firewalls do not allow you to traverse interfaces.
  • Filter rule association - This option allows a NAT rule to be linked to a firewall rule. I recommend leaving it on "create new associated filter rule", this will save you the trouble of having to create a firewall rule yourself.

How to Test Port Forwarding

Once you have created your port forwarding rule you should test it to make sure it's working properly. If you have access to a computer outside your network you could simply try to access to remote service that you configured.

Unless you enabled NAT reflection you won't be able to test the service from inside your network. Eg: you can't access <your-public-IP>:port from behind the pfSense router.

One of the easiest ways to test your NAT rule is to use an online port checker. The online utilities will detect your public IP address automatically so you only need to enter the port number that you want to test.

If the port checker can connect to the port then you have successfully configured NAT!

© 2011 Sam Kear

More by this Author

Comments 11 comments

Gean Paul Tura profile image

Gean Paul Tura 5 years ago from Philippines

This is a great hub! Helps a lot to access my Internet cafe management software when I'm mobile! Keep up the good job Sam!

Kim 4 years ago

thanks for the guide. can you allow all ports except 21 and 22?

V for Verdana 4 years ago


nice to see someone writing a hub that's for the tech-head and not just another article about making cupcakes. Unless cupcake is some protocol?

Raafat 3 years ago

Thank you a great topic.....

Eldad 3 years ago


Great post.

I would like to ask a question how can I implement the firewall when trying to simulate different NAT connections (Port-Restricted, Restricted-cone).

How can I use This great firewall in simulating NAT, of course using Vmware machine? Which topology should I use?


andrew 2 years ago

Hi all your guides are great but i have a problem. If i port forward port 21 to my ftp server (passive) everything connecting from outside to the ftp works okay. If i forward another port like 55234 redirecting it to port 21 of the ftp server lan address passive mode does not work correctly from outside the lan. I know that pfsense has an ftp proxy helper, could it be that it works only when the port fortwared is only to port 21 ?

skear profile image

skear 22 months ago from Kansas City Author


With NAT you can only forward port 80 to a single IP address inside your network. The solution to hosting multiple web servers with NAT is to either setup virtual hosts on your webserver, or create a reverse proxy that can multiplex requests for different domains to the correct web server.

Azeem 17 months ago

Hi ,

I need your help.can any body have any idea about my question?

i host a website on my local machine(ip and now i want to access website from the out side of my network with my pfsense live up.?

any idea

skear profile image

skear 17 months ago from Kansas City Author

Hi Azeem,

You would simply need to create a port forwarding rule to forward port 80 to and it will then be accessible from outside your network.

Omar 12 months ago

hi sir, can i use this method for cctv dvr port forwarding to be able to see my dvr online?

skear profile image

skear 12 months ago from Kansas City Author

@Omar Yes the same method can be used for making your DVR accessible from the internet. You would just need to determine which port the service uses and forward that port to the IP address of the DVR.

    Sign in or sign up and post using a HubPages Network account.

    0 of 8192 characters used
    Post Comment

    No HTML is allowed in comments, but URLs will be hyperlinked. Comments are not for promoting your articles or other sites.

    Click to Rate This Article