NAT

NAT-PMP/PCP rules show ? for internal IP address

Bob.Dig — Mon, 11 May 2026 04:14:00 GMT

I am not using it but a quick test confirms your findings. [image: 1778485423398-screenshot-2026-05-11-at-09-40-52-pfsense.internal-status-upnp-igd-amp-pcp.png]

pfSense Plus update disables xBox

Uglybrian — Sat, 09 May 2026 02:11:32 GMT

Have you taken a look over in the gaming posts? https://forum.netgate.com/category/36/gaming The first 2 pinned post. I guessing your Xbox was not assigned a static address. So maybe , after the update it was assigned a differnt ip address and NAT stoped working, maybe. Here are my ps5 settings that give me NAT 2. static address: [image: 1778355070400-2026-05-09_12-30.png] firewall outbound NAT: [image: 1778355179214-2026-05-09_12-32.png] you will need to give more info on how you have gaming set up. This is just a guess on my part.

NAT hairpin not working

tinfoilmatt — Wed, 06 May 2026 18:47:15 GMT

Make sure you've read through this article, Troubleshooting NAT Port Forwards, from the official docs. Specifically the pfSense software is not the border/edge router and Return Routing subsections may be of particular relevance.

Strange issue with NAT64 - does not work for private IPv4 addresses

ChrisJenk — Mon, 04 May 2026 08:45:23 GMT

So I found this option, which solves all my problems: [image: 1777887852722-screenshot-2026-05-04-at-10.43.31-resized.png]

Setting up SSH usingNetgate 2100 for tgraffic between 2 virtual lans

idgeng — Thu, 26 Mar 2026 08:14:13 GMT

@Gertjan Thanks for your suggestions

OutBound Manual NAT Applying NAT rules to more Specific Subnets Confirmation

rfranzke — Sun, 22 Mar 2026 18:52:30 GMT

Thanks here. I was really trying to avoid breaking something so making sure I understood how it works. Thanks for the confirmation.

One solution for NAT rules failing

SteveITS — Sun, 15 Mar 2026 19:34:22 GMT

@Ross-Garmoe If the NAT rules were using a host alias with FQDN, pfSense resolves the FQDN every few minutes to create/update the pf alias. It's not really a NAT issue but if the table was empty it wouldn't create. I would have expected an error about an empty table/invalid alias though...at least that's the case for firewall rules. Assuming it was an internal domain name FQDN, another option would have been to set a domain override, so any DNS query hitting pfSense for the internal domain would get forwarded to the AD DNS server(s). Sounds like disabling pfSense DNS got pfSense to use AD DNS and resolve the FQDN? Anyway, glad it's working.

IPv6 gateway monitoring failing intermittently with 1:1 NAT on assigned WireGuard interfaces

omhoward — Fri, 13 Mar 2026 21:44:38 GMT

Hi All,
I have two assigned WireGuard interfaces used as VPN client uplinks (tun_wg0, tun_wg1), each with IPv6 1:1 NAT configured. After a reboot or after editing an interface, one of the two IPv6 gateways randomly flips to DOWN with 100% packet loss — even though the tunnel is up and passing traffic fine. The IPv4 gateways on the same interfaces work correctly at all times.

What appears to be happening is dpinger binds to the interface IP via -B as expected. The problem is that pf's binat rule is intermittently firing for the ICMPv6 probe traffic, translating the source address before it leaves the interface:

tcpdump -i tun_wg0 -n ip6 ← broken gateway

PREFIX:0:2:0:2 > MONITOR_IP: ICMP6 echo request   ← source translated by binat
MONITOR_IP > PREFIX:0:2:0:2: ICMP6 echo reply      ← reply goes to NAT addr, not ::6

tcpdump -i tun_wg1 -n ip6 ← working gateway

PREFIX:0:2:0:a > MONITOR_IP: ICMP6 echo request   ← source intact, no translation
MONITOR_IP > PREFIX:0:2:0:a: ICMP6 echo reply      ← reply received correctly

The 1:1 NAT rules are identical on both interfaces. IPv4 binat is also loaded on both but doesn't fire for ICMP probes (which is the correct behavior). This seems specific to ICMPv6 and appears to be a transient pf state issue triggered during interface initialization.

Trigger conditions:
Reboot — one of the two IPv6 gateways is affected at random
Editing or restarting an assigned interface or IPv6 gateway — the gateway associated with that interface is affected

Workaround:
Restarting the WireGuard service immediately fixes it — no config changes needed:
VPN > WireGuard > (restart service). It stays fixed until one of the trigger conditions above happens again.

Has anyone seen this or found a more permanent fix?
Happy to provide additional captures or config details.

IPsec NAT Only Works In One Direction

planedrop — Mon, 02 Mar 2026 21:55:55 GMT

I posted a similar question over in the IPsec section, but it's gotten no traffic and I think this may be more related to NAT anyway. So posting it here but with a more specific layout.

I’ll try to lay this out as concisely as I can, but I’m baffled by an odd issue (or a misunderstanding) with an IPsec setup I am working on in my lab.

The VPN is connected and working and I’ve done a ton of troubleshooting already with no luck. Below is the layout, then I’ll explain what’s not working.

Site A
Local subnet of 10.10.12.0/24 with a host at 10.10.12.10 which I am using for testing
IPsec Phase 2 setup to connect to Site B
Network NAT enabled on the Phase 2 to NAT to subnet 172.16.51.0/24
Firewall rules on the 10.10.12.0/24 subnet to allow pinging to a 192.168.15.0/24 subnet at Site B
Firewall rules on the IPsec tab to allow 192.168.15.0/24 to ping back to 10.10.12.0/24 (since NAT is processed first, as documentation talks about)
Site B
Local subnet of 192.168.15.0/24 with a host at 192.168.15.10 for testing
IPsec Phase 2 setup back to Site A
No NAT enabled
Phase 2 is setup with the Remote Network as Site A’s NAT subnet
Firewall rules on the 192.168.15.0/24 subnet to allow pinging back to 172.16.51.0/24
Firewall rules on the IPsec tab to allow 172.16.51.0/24 to ping 192.168.15.0/24

The issue I am having is that 192.168.15.10 at Site B can not ping 172.16.51.10 (which translates to 10.10.12.10) at Site A. However, Site A’s 10.10.12.10 can ping 192.168.15.10 without issue. More importantly, if Site A pings Site B first, then Site B can ping back to Site A just fine.

As I understand it, this should be working according to documentation since each 4th Octet is NATed at a 1 to 1 ratio, so Site B should be able to initiate pings.

192.168.15.10’s traffic does pass firewall rules and does pass on both the IPsec tab (validated with a pcap) and on the “WAN” (quotes since this is a lab) based on the ESP packets I am seeing (no other VPN in use and the counts match).

The traffic gets to Site A as well, validated also by checking ESP packet counts. But it never shows up on the IPsec tab with a pcap. And the Security Associations on IPsec > Status don’t count bytes up, so as I understand it this is failing the SPD check.

But if I check the IPsec SPD tab, I can see a proper SPD entry for 192.168.15.0/24 > 172.16.51.0/24, so as I understand it, it should work. I can’t find info on it, but, isn’t the SPD checked before NAT would happen?

Regardless, I feel like this should be working and I’m pretty lost here.

External access over CG-NAT

elvisimprsntr — Thu, 26 Feb 2026 14:09:09 GMT

@fabiolavor said in External access over CG-NAT: Okay! I can install Tailscale on my PC (PC1), but I can't install it on the PCs at my work because I don't have administrator access. I need another solution. I believe I already mentioned this in my first post. Sounds like someone is looking to bypass employer IT security policies to remotely access their home computer for what ever reason. Even if not nefarious, doing so on company time, which in most countries would be grounds for termination.

Creating a custom WAN interface

SteveITS — Tue, 24 Feb 2026 20:35:43 GMT

@Diggy This should be a starting point. Ignore the parts about gateway groups, etc. that apply to multiple WANs. https://docs.netgate.com/pfsense/en/latest/solutions/netgate-4200/opt-wan.html You could also reset it to a default config and start over?

SMB on WAN not working

johnpoz — Thu, 12 Feb 2026 07:22:30 GMT

@AndyRH said in SMB on WAN not working: Sometimes young is not trips around the sun, but time with a thing Exactly ;) Notice I said maybe you are too young to remember, sure that could be your actual age, or it could be how long you been in the IT game.. If you been in the game awhile you would clearly remember all the smb issues from back in the day ;) If you new then your too young to remember it ;)

ICMPv6 protocol missing from outbound NAT rule creation

tinfoilmatt — Fri, 06 Feb 2026 16:01:41 GMT

Just updating this thread for posterity—to confirm that "no nat" is the only way (and probably the only correct way) to resolve this leaking of a private WireGuard interface address. This did not work: nat on $WAN inet6 proto icmp from [WAN interface link-local]/128 to [ISP interface link-local]/128 -> [ISP interface link-local]/128 nat on $WAN inet from any to any -> [WireGuard interface address] port 1024:65535 nat on $WAN inet6 from any to any -> [WireGuard interface address] port 1024:65535 There's a mismatch there between "inet6" and "icmp". This may work if "icmp6" was available via the webConfigurator's NAT rule configuration "Protocol" dropdown: nat on $WAN inet6 proto icmp6 from [WAN interface link-local]/128 to [ISP interface link-local]/128 -> [ISP interface link-local]/128 nat on $WAN inet from any to any -> [WireGuard interface address] port 1024:65535 nat on $WAN inet6 from any to any -> [WireGuard interface address] port 1024:65535 But I've had to settle for this: no nat on $WAN inet6 from [WAN interface link-local]/128 to [ISP interface link-local]/128 no nat on $WAN inet6 proto udp from [WAN interface link-local]/128 port 546 to ff02::1:2/128 port 547 nat on $WAN inet from any to any -> [WireGuard interface address] port 1024:65535 nat on $WAN inet6 from any to any -> [WireGuard interface address] port 1024:65535 (Note that I also needed to add a "no nat" rule to preserve DHCPv6 functionality.)

NAT for SIP traffic not working if packet size is greater 1452 bytes => solution

getcom — Tue, 27 Jan 2026 16:21:56 GMT

@netblues Yes, you are right, the default is unchecked. We checked that setting on several pfsense appliances and in some cases we found two of them with disabled firewall scrub. It is possible that there was another issue with that setting in the past.

Inbound NAT - L2TP Tunnel traffic not working

MattL88 — Mon, 19 Jan 2026 21:40:42 GMT

So I had multiple issues, DNS been one so my alias were not working which in turn broke the NAT's. Also an alias ended up corrupting something as it had made it self too big taking the config file over 2500 lines once and I believe there is a 750 line limit. After some 30 hours of looking at this I am now working with thanks to various topics online I got there.

PFSENSE OUTBOUNT NAT ISSUE (NO INTERNET FROM LAN)

luckman212 — Fri, 09 Jan 2026 10:51:59 GMT

Cloud router was blocking traffic between cloud private networks. What exactly is "Cloud router" ? Did you not know such a thing was sitting in between your hosts when you started the troubleshooting?

Manual Outbound NAT not respected? internal routing still applies NAT (Src NAT) despite empty ruleset

Forenlurch71 — Wed, 07 Jan 2026 22:31:26 GMT

@tinfoilmatt @SteveITS Funny, its solved. I needed to reinstall 2.8.1 on new hardware anyway, imported my config. Guess what, its working now without any other changes.

Forwarding SMTP traffic from LAN interface address to other LAN address

johnpoz — Sun, 04 Jan 2026 22:57:31 GMT

@webminster so users/devices point to an IP to send mail? Why would you not just use some fqdn, now if you want to move the server it's a single change of the dns record to what the new IP is.

NAT Rules Revert to WAN When Deleting Underlying Interface on 2.6.0 (Possible Security Issue?)

7666 — Mon, 29 Dec 2025 17:55:37 GMT

Hi,

I have a pfSense install, version 2.6.0-RELEASE, where I am experiencing unintended behavior that could possibly result in a security issue. I am trying to confirm whether or not this behavior is expected, and if it is not, if it has been patched in a later version of pfSense (I understand 2.6.0 is a tad old).

The issue is pretty simple. Say you have three interfaces, WAN, OPT1, and OPT2, and you have created NAT rules for OPT1 and OPT2, specifically port forwards. OPT1 and OPT2 are either OpenVPN or Wireguard tunnels. You decide you no longer need OPT2 and delete it from the interfaces page. Now, when you look at the NAT rules you had before, the OPT2 rules will have reverted to the WAN interface, as well as the correlating firewall rules allowing the traffic to pass. The problem is that this behavior is not communicated to the user and can lead to an unintended publishing of internal services to the WAN if any of the IPs or ports for the rule match up to a live service.

Steps to reproduce:

Create a new interface. Name it whatever. For this exercise we'll use OPT2. Enable it.
Add a port forward NAT rule tied to OPT2. Use whatever ports and IP you like. Commit the changes.
Now delete OPT2 from the interfaces page entirely and head back to the NAT port forwards page.
You should see that the port forward rule has now reverted to WAN without a message or even a change commit / reload required.
Now go to the firewall page and observe the rule that was created for the port forward. It should also now be pointed to WAN, meaning it will actually work and forward traffic.

Is anyone else able to replicate this behavior? Does it happen on 2.7.0+? And is this expected? I worry that this could really bite someone in the behind if they have no idea it is happening. Either a confirmation or message to the user if port forwards are detected tied to an interface pending deletion, or a way to preserve the original deleted interface on the orphaned rules, would suffice to fix this.

-7666

NAT+Proxy Reflection mode fails on port 443 due to nginx webConfigurator binding conflict (pfSense 25.07)

jiggier — Wed, 10 Dec 2025 07:12:50 GMT

Summary

NAT+Proxy mode for NAT Reflection on port forwards targeting port 443 no longer functions in pfSense 25.07. The root cause appears to be the webConfigurator's nginx instance binding to *:443 (all interfaces), which prevents xinetd from establishing the proxy listener for NAT reflection.

Environment

pfSense Version: 25.07.1
Hardware: Intel-based (Wildcat Point-LP)
Relevant packages: Nexus, pfBlockerNG-devel, ACME, Avahi, OpenVPN-client-export

Symptoms

External access (WAN) to port-forwarded services works correctly
Internal access (LAN hairpin/reflection) fails when NAT Reflection is set to "Enable (NAT + Proxy)"
TCP connections are accepted but TLS handshake hangs indefinitely
Switching to "Enable (Pure NAT)" immediately resolves the issue

Diagnostic Evidence

nginx (webConfigurator) is listening on all interfaces for port 443:

# sockstat -l4 | grep 443
root     nginx      40955 5   tcp4   *:443                 *:*
root     nginx      40662 5   tcp4   *:443                 *:*
root     nginx      40551 5   tcp4   *:443                 *:*

nginx configuration confirms binding to all interfaces:

# cat /var/etc/nginx-webConfigurator.conf | grep listen
        listen 443 ssl;
        listen [::]:443 ssl;
        listen 80;
        listen [::]:80;

xinetd logs show services being killed during reconfiguration:

Dec 10 02:30:39 pfs xinetd[34103]: Sending signal 9 to 19009-tcp server 39244
Dec 10 02:30:39 pfs xinetd[34103]: Sending signal 9 to 19009-tcp server 49600
Dec 10 02:30:39 pfs xinetd[34103]: service 19009-tcp deactivated
Dec 10 02:30:39 pfs xinetd[34103]: service 19010-tcp deactivated
Dec 10 02:30:39 pfs xinetd[34103]: Reconfigured: new=0 old=9 dropped=2 (services)

Steps to Reproduce

Configure a port forward: WAN 443 → internal host port 1443
Set NAT Reflection to "Enable (NAT + Proxy)" on the rule
From a LAN client, attempt to access the service via the WAN IP or external domain
Connection will hang after TCP handshake

Expected Behavior

NAT+Proxy reflection should work as it did in previous pfSense versions, allowing LAN clients to access port-forwarded services via the public IP.

Actual Behavior

xinetd cannot bind to port 443 for the reflection proxy because nginx (webConfigurator) already occupies *:443 on all interfaces. TCP connections are accepted by nginx but fail because nginx doesn't know how to handle the traffic.

Workaround

Use "Enable (Pure NAT)" instead of "Enable (NAT + Proxy)" for NAT Reflection. This works correctly and is arguably the better solution anyway, but the NAT+Proxy option should either work or be documented as incompatible with the default webConfigurator configuration.

Suggested Fix Options

Bind nginx/webConfigurator to specific interfaces (e.g., LAN only) rather than *:443
Add a GUI option under System → Advanced → Admin Access to configure webConfigurator interface binding
Document this limitation in the NAT+Proxy mode description
Have xinetd use alternative ports for reflection when 443 is occupied

Additional Notes

This appears to be a regression from the switch to nginx for the webConfigurator in pfSense 25.x. Previous versions using lighttpd may have had different binding behavior. The lack of a "Listen on interfaces" option in Admin Access settings means users cannot resolve this conflict without changing the webGUI port or using Pure NAT mode.

Updated tutorial for NAT66/NPt Your Private IPv6 similar to IPv4

millerwissen — Wed, 10 Dec 2025 01:58:53 GMT

@sysxtreme That's perfectly fine, I just mentioned in case the AI changed the context of your statements, you don't have to be good at something to make a difference either, your english is perfectly fine. Yes so one of the most fantastic use cases for NAT is translating a subnet to multiple subnets port forwarding and load balancing from the upstream/wans becomes a very easy task. You certainly do not get more than a single prefix usually the norm really is /48 /56 and they become /64 in some cases you may also only get the one /64 you will get but it's fine with NPt/NAT66 you don't even need more than a single IPv6 for most use cases let alone more than a single /64. I would not waste time trying to complain to your telecommunications agency about this because I would really not expect any government to have provisions for customers to get more than "what they need to be reasonably connected to the internet" in a very purposefully ambiguous language anyway which would allows the ISPs flexibility in how they want to connect their customers, most of the government really will not be able to understand the technical differences between deployment models and so they trust the ISPs to just 'make it work'. Yes you can use OSPF internally (technically also BGP) but the usual OSPF deployment consists of point to point links which facilitate inter-router communication and routing so if you have a complex network you can just route things internally via OSPF/BGP and have NAT66/NPt at the upper end. You can also Tier things: WAN ---NAT66 MIDDLE NET ---NAT66 --NAT66 --NAT66 --NAT66 LAN 1 LAN 2 LAN3 LAN4 In this example your LAN 2/3/4 can route to each other via OSPF point to point links without any need for NAT among them but the middle net cannot access them just a WAN wouldn't due to firewalling and the connectivity to the upstream remains due to NAT+GW in this case the WAN router. LAN 1 remains isolated without routes to 2/3/4 but can see anything you port forward to MIDDLE NET and upstream towards WAN. (you may need to disable reply-to and a few other tweaks for this to work but anyway it's just an example). It can be much much more complex than this but all internal subnets can remain within your local IPv6 ranges you don't even need /64 unless you're using that network for an actual LAN with RA/DHCPv6/SLAAC i personally use /96 more often than /64 because i just want the last 2 hextets anyway to match a /16 IPv4. You can also do NPt to your 'middle net' and from there NAT66 as needed you basically have an internal WAN also route traffic to different uplinks effectively increasing the overall internet speed available to you without causing any internal conflict and maintaining the internal routing structure. Unrelated to your question but to other people out there IPv6 can be either "just work" or better than "just work" it really is up to how much you're willing to spend on engineering and designing and it will pay dividend in the future. Hope it satisfied your curiosity.

NPt destination prefix UI confusing

mcfly9 — Mon, 24 Nov 2025 19:43:01 GMT

WAN/65 -> 41 network id (hex 41 = dec 65) WAN/10 -> 10 network id (hex 10 = dec 16) Typo in the above, I meant: WAN/65 -> 41 network id (hex 41 = dec 65) WAN/16 -> 10 network id (hex 10 = dec 16)

Triple firewall set-up. Accessing through aggregate firewall.

ASGR71 — Fri, 21 Nov 2025 11:52:50 GMT

Hey Guys, Cancel request, problem solved. Solved all with port forwarding.

Outbound ping problem to DNS Filter servers

SteveITS — Thu, 20 Nov 2025 20:10:42 GMT

@njc :) here’s a couple

ipsec vti with custom outbound nat bug?

gbogado — Mon, 17 Nov 2025 14:57:35 GMT

any help with this?