Port forwarding – again!



  • I have read many how-to's, walk-thrus and videos on the web. I have tried all of them and I cannot get port forwarding on my non-LAN interfaces I am hoping someone can pin the ah-ha moment for me…..

    pfsense is a standalone 4 NIC box. WAN, LAN (192.168.1.1), Opt1(x.x.2.1), Opt2(x.x.3.1) with a physical nic on each with DHCP on all (internet on all are working)

    I want to port forward 9987 to 192.168.2.51 (static) on Opt1.

    I created NAT rule,  it auto created an entry in Firewall\Rules
    Nat Rule is
    WAN, UDP, *, *,WAN Address, 9987, 192.168.2.51, 9987, Teamspeak

    I have tried Nat Reflection on the rule (both Pure and proxy) and I can only connect using None and the internal IP

    I tried a couple of variations of the rules and I am feeling that there need a rule in Opt1 not just in WAN, so I did and it still not working. I know its somewhere in the syntax.

    I also have friends trying to connect with my External IP address and FQN and since this is a UDP port I cannot use Web Port checkers like
    http://www.canyouseeme.org/


  • LAYER 8 Netgate



  • Thanks derelict.

    I currently have the nat forwarding to the pc which seems wrong. Is it suppose to be wan open to opt1 gateway then on opt1 forward pc to gateway?

    Or is there a way to just make opt1 totally bypass the firewall and make it totally dmz. I know this is two different questions. But related,in my case this interface really can be exposed and not firewall at all, it only has a gaming server.

    I was going port forwarding approach as it seemed easier.


  • LAYER 8 Global Moderator

    " and I am feeling that there need a rule in Opt1 not just in WAN,"

    Huh… Rules are evaluated on the interface where it first enters the firewall.. So if I am on the public internet - what interface would I first hit?  Wan would be the correct answer..  So your telling pfsense hey you see traffic to your wan IP, udp port xyz - send it to this guy..

    The return traffic will be taken care of by the state that pfsense would create when it allows the traffic and forwards it.



  • Thank you , that is what I expected but thought it was not working, I am now realizing debugging is totally different without Nat Reflection or a separate device (iphone) doing testing. I was using the Nat reflection on the rule level and it seems it does not work for me, once I used the global setting all was working.  I got the FTP working per the instructions and now port 9987 for Teamspeak.

    This has been a little hard for me, I just migrated off Smoothwall (which I was on for 4 years)  :'( and its totally different structure. I do like Pfsense as it really has so much more capability that I am going to need for a work/fun lab.

    I appreciate everyone's input, instruction pointing and logic setting. Last parting question or suggestion, does leaving  Global Nat PURE, on all the time, cause any issues, or is it really for testing purposes?


Log in to reply