Port forwarding to clients of pfSense Remote Access Server

  • Hello,

    I have pfSense as OpenVPN Remote Access Server with interfaces WAN, LAN (, OPT1 (openvpn). OpenVPN tunnel network is

    OpenVPN clients connect fine and they can see each other (and connect to each others ports), testing ports from pfSense to OpenVPN clients works. All client traffic is routed through pfSense. But I cannot forwards ports from WAN to OpenVPN clients.

    For example for OpenVPN Client with IP, what I tried is (not all at once but as separate cases):

    • added port forwarding, WAN:2020 to with rule option PASS
    • added port forwarding, WAN:2020 to with rule option Add associated firewall rule
    • added port forwarding, WAN:2020 to without rule and added pass rule for WAN:2020 in firewall

    Other OpenVPN clients and pfSense can connect to, telnet to WAN:2020 did not get through in any of aforementioned cases.

    So, what's the trick? :)


  • Check if pfSense has added an outbound NAT rule for the OVPN subnet to WAN interface, if you use automatic outbound rule generation. If you use manual you have to add the rule manually, off course.

    Also ensure that the clients software firewall doesn't block the access from unknown subnets.

  • Yes, pfSense added NAT rule for OVPN subnet to WAN interface.

    Clients firewall allows traffic from OVPN tunnel network and pfSense LAN. For example port test from pfSense to clients SSH port is working.

    Here are NAT rules that are now in place and firewall rules.

  • Okay, I see one additional possible reason for this behaviour: the client uses another upstream gateway. So requests come through the vpn to the client, but responses are sent to its default gateway and will be blocked there.
    You can resolve this either by checking "Redirect gateway" in the server settings to direct the whole client traffic over the vpn (you can also do this just for this one client with client specific overrides) or you do outbound NAT for the traffic forwarded to this client and translate the source address to the interface IP. The latter has the disadvantage that the client doesn't see the original IP address.

Log in to reply