I can't seem to port forward my minecraft server

  • Hello!

    I just upgraded from a horrible Apple Airport Extreme router to a new pfSense router that I have running of my dell poweredge r310. I have everything working great, except that I cannot get my minecraft server to work. My setup is like this: Modem > PFSENSE (r310) > Switch > My PC, Minecraft Server, Ethereum Miner, etc.

    I know that it is something that I have configured wrong with pfSense (I'm a complete noob btw), as when I connect to from my PC, it works just fine. When I use canyouseeme.org, port 25565 is not open. In other posts I read, port 25565 was open for them.

    I'm a complete noob as I've already said, so if this info does not help, please ask me for more (I am happy to give it)

    My NAT has two rules:

    1. MinecraftUP
    Interface -  WAN
    Protocol - TCP/UDP
    Destination - WAN address
    Destination port range - 25565, 25565
    Redirect target IP -
    Redirect target port - 25565
    Description - MinecraftUP
    No XMLRPC Sync - (Unchecked)
    NAT Reflection - System defaults
    Filter rule association - Pass

    2. MinecraftDOWN
    Interface - WAN
    Protocol - TCP/UDP
    Destination - WAN Address
    Destination Port Range - 25565, 25565
    Redirect target IP -
    Redirect target port - 25565
    Description - MinecraftDOWN
    No XMLRPC Sync - (Unchecked)
    NAT Reflection - System defaults
    Filter rule association - Pass

    The only reason I have two is because I did not know which "add" button to use. The one labeled "MinecraftUP" was made with the up arrow add button, and vise versa.

    Thanks so much for reading this!!!
    Any help is much appreciated!!!

  • LAYER 8 Netgate

    Those are just shortcuts to create a rule at the top or the bottom of the rule set. You only need one.

    The first rule (top down) that matches the traffic prevails.

    List of things to check here:


  • Okay, thanks. I read through the page. I am still totally confused though.

    1. NAT and firewall rules not correctly added (see How can I forward ports with pfSense?)

    • I don't know how I would check this… I have no clue what I'm doing

    2. Firewall enabled on client machine

    • I already made a rule in Server Manager for port 25565. It worked with my apple router

    3. Client machine is not using pfSense as its default gateway

    • I have no clue how I would check this

    4. Client machine not actually listening on the port being forwarded

    • I have no clue how I would check this either

    5. ISP or something upstream of pfSense is blocking the port being forwarded

    • I don't think that this is the case, but again, I have no clue how I would check this

    6. Trying to test from inside the local network, need to test from an outside machine

    • I can't connect, and I haven't tried with friends. When I use a port checker, however, it says that the port is closed.

    7. Incorrect or missing Virtual IP configuration for additional public IP addresses

    • I have no clue what this means, nor do I know how to check this

    8. The pfSense router is not the border router. If there is something else between pfSense and the ISP, the port forwards and associated rules must be replicated there.

    • I don't fully understand this. I have the this: Modem > PFSENSE Router > Switch > Server

    9. Forwarding ports to a server behind a Captive Portal. An IP bypass must be added both to and from the server's IP in order for a port forward to work behind a Captive Portal.

    • I don't know how to do this, and I have no clue how I would check that

    10. If this is on a WAN that is not the default gateway, make sure there is a gateway chosen on this WAN interface, or the firewall rules for the port forward would not reply back via the correct gateway.

    • I have no clue what this means, and I have no clue how to check it. When I type ipconfig in powershell, is the default gateway, so I don't think that this is the problem.

    11. If this is on a WAN that is not the default gateway, ensure the traffic for the port forward is NOT passed in via Floating Rules or an Interface Group. Only rules present on the WAN's interface tab under Firewall Rules will have the reply-to keyword to ensure the traffic responds properly via the expected gateway.

    • I don't know what Floating Rules or Interface Groups are, nor have I used them

    12. If this is on a WAN that is not the default gateway, make sure the firewall rule(s) allowing the traffic in do not have the box checked to disable reply-to.

    • I'm pretty sure at this point that the WAN is my default gateway

    13. If this is on a WAN that is not the default gateway, make sure the master reply-to disable switch is not checked under System > Advanced, on the Firewall/NAT tab.

    • I really don't think this is the problem, and I don't want to mess up the router any further by playing with these settings

    14. WAN rules should NOT have a gateway set, so make sure that the rules for the port forward do NOT have a gateway configured on the actual rule.

    • I have no clue where I would even set a gateway in the rule. I don't think that this is the problem

    15. If the traffic appears to be forwarding in to an unexpected device, it may be happening due to UPnP. Check Status > UPnP to see if an internal service has configured a port forward unexpectedly. If so, disable UPnP on either that device or on the firewall.

    • It's not forwarding anything, so this is definitely not the problem

    Okay, so basically, I have no clue what I'm doing. I don't really understand 1, 4, 5, 7, 8, 9, 10, 11, 13, or 14. I'm a complete noob, as I've said earlier.

    Any help would be SO much appreciated.
    Thanks for your help so far as well.

  • LAYER 8 Netgate

    What are the first two numbers in your IPv4 Address on WAN in Status > Interfaces? If it says, I'mm looking for 209.221.X.X

    Delete everything you have done. All pertinent rules in Firewall > NAT, Port Forwards and in Firewall > Rules, WAN

    Do this in Firewall > NAT, Port Forwards:

    Interface -  WAN
    Protocol - TCP/UDP TCP
    Destination - WAN address
    Destination port range - 25565, 25565
    Redirect target IP -
    Redirect target port - 25565
    Description - Minecraft
    No XMLRPC Sync - (Unchecked)
    NAT Reflection - System defaults
    Filter rule association - Pass Add associated filter rule

    As far as I know, Minecraft is TCP-Only.

    There really isn't anything else to do. You are going to have to learn all of those things in the list one by one until you fix it if that doesn't work. Nobody else can do it for you.

  • Okay, my WAN IPv4 Address is 192.168.x.x. If you wanted my IP address, its 67.254.x.x. I didn't see my public IP address anywhere on the page. Is this a problem? I did notice, however, that my default gateway is not the same IP address as the WAN ipv4 address. Is this a problem?

    Also, I made the edits that you said, but I'm 99% sure that Minecraft uses TCP and UDP. I made one port forward for MinecraftTCP and one for MinecraftUDP. Will that effect anything?

    By the way, the Redirect target IP is the IP address of the PC running the minecraft server, right?

    Thanks so much for your help so far!

  • LAYER 8 Netgate

    Something upstream is forwarding traffic to pfSense. Some mechanism for forwarding the traffic from there to pfSense will need to be done.

    #5 and/or 8 on the prior list.

    What is your pfSense WAN connected to?

  • As Derelict said - seems like your modem is not in bridge mode if you're getting a private IP address on your WAN interface.  If you're getting anything that's 192.168./16, 172.16./12 or 10./8 on WAN interface then you're double NAT'd behind pfSense.

    Solve the upstream first, then start working on pfSense.  There are a bunch of tutorials online to put your modem in bridge mode.

  • Sorry, I forgot to mention this. I do not have a wifi card installed on my pfsense box, so I have the modem not bridged because I need the wifi from it. I still have my Apple Airport Extreme router. Could I use this to have wifi? In other words, could I somehow bridge my modem, have the modem > pfsense box > switch > airport router? Would I be able to get wifi off that? Do I need to bridge the modem and get a wifi card for my pfsense box? If I don't bridge the modem, will it effect anything else?


  • LAYER 8 Netgate

    Good luck. Put your wireless behind pfSense. If you can't do it with the ISP modem do it with something else.

  • Bridged Modem > pfSense > Switch > Access Point, Servers, etc

    Port forwards will never work how you have it currently set up.  Gotta fix those issues first.

    Using an existing router (like an AirPort) as an access point is possible, but not really recommended.  I'd go so far as to say that installing a wireless card in pfSense is a bad idea.  Either way, these have to be behind pfSense.  You can't use your Modem as your access point.

    This has deviated a bit off topic from firewalling, so I'd suggest opening a new thread in hardware if you need more advice on what devices to use for wifi. (Short answer - get an access point)

  • Okay, thanks so much to everyone who has contributed in this thread!

  • Hey guys, I know I said that I moved this thread, but I think it's still relevant to firewalling now. I have unbridged my modem successfully, and I'm just gonna buy a powerline adapter.

    The problem is as follows: when I use a port checker, it says that port 25565 is open. When I try to connect via minecraft, I can't connect. When I try connecting to, it works just fine.

    I have not yet asked a friend to connect to the server, so I do not know if people outside of my network can connect.

    Any help would be so much appreciated!

    (sorry again for kinda re-opening this thread)

  • LAYER 8 Netgate

    #6 on the list.

    If you want to use it from the inside on the outside IP address you need to enable NAT reflection.

Log in to reply