NAT Port Forwarding WAN ( to LAN (

  • Hi everyone!

    I'm trying to use pfSense v2.4 as a firewall/router to route WAN (  to LAN ( but after several tries I cant seem to get it running.
    is it because I'm using a private ip block for the WAN interface?

    My setup is as follows:

    1. PfSense:
        WAN interface -
        Virtual IP        -

    LAN interface -

    2. WebServer:
          LAN interface -

    3. Workstation:
        LAN interface -

    from the workstation, I need to access and pfSense will NAT it to

    I have created a NAT (Firewall->NAT->Port Forwarding) as follows:

    Interface : WAN
    Protocol : TCP
    Destination : single host     
    Address :
    Destination Port  Range (From) : 80
    Redirect Target IP :
    Redirect target port : 80
    Filter Rule association : Add associated filter rule

    Thanks in advance!

  • LAYER 8 Global Moderator

    did you remove the block private on the wan setting?

  • yes, unchecked the "Block private networks and loopback addresses" and "Block bogon networks" from the WAN and LAN Interfaces.

  • im not sure what I am missing.
    do I need to add more NAT rules?

  • LAYER 8 Global Moderator

    Your port forward is wrong… If you would of just posted a screenshot would of spotted it instant..

    Your dest should  be the vip you created.. It would be listed in the drop down..  What type of vip did you create?

    Also did you pick custom for 80 and do just first part of range why would you not just pick http from the drop down?

    When it created the rule on wan.. Is there any rule above that would block it?  If your having trouble port forwarding go through the doc - pretty much every mistake someone could make is listed there and how to troubleshoot to find the exact reason for the problem.

    The big other question I have is why are you natting between rfc1918 anyway?

  • btw, I forgot to acknowledge your prompt rely and willingness to help from my previous replies.

    So, Thanks a lot!

    I will post the screenshot as soon as get them.

    the main reason for natting rcf1918 is to protect/isolate  the Windows Servers (Terminal and IIS) from consistent virus infections inspite of having the firewall activated.
    it is the fastest and only option for now.

    IP Alias is the VIP.
    Picked HTTP from dropdown list and did not type 80 in the custom field.

  • LAYER 8 Global Moderator

    That has ZERO to do with NAT.. ZERO.. You can firewall between your other networks with pfsense - there just is no reason to NAT it..

    Now you do not need to port forward.. just allow the firewall.. But my guess is you would also have asymmetrical routing problems..  How do you have pfsense and the "servers" behind it connected to the rest of your network.  pfsense is not on a transit network to the rest of your network, etc.  is it?  My guess would be no.. Or you wouldn't be trying to nat from rfc1918 to rfc1918

    If you used pfsense as your router/firewall for all your networks and just hang your networks off interfaces of pfsense none of this is a problem since you do not nat between your local networks.  You do not run into asymmetrical routing problems, you do not have to "port forward" for local stuff to talk to local stuff.  etc. etc..

    Draw up your network and we can discuss how to make it better and more secure..

  • Pls find the screenshots of the pfSense config.

    sorry for attaching the images.
    not yet familiar on how to paste the image on the message body.

    to follo is the network diagram

    ![Static IPv4 Configuraton-WAN.PNG](/public/imported_attachments/1/Static IPv4 Configuraton-WAN.PNG)
    ![Static IPv4 Configuraton-WAN.PNG_thumb](/public/imported_attachments/1/Static IPv4 Configuraton-WAN.PNG_thumb)
    ![Static Ipv4 Configuration-LAN.PNG](/public/imported_attachments/1/Static Ipv4 Configuration-LAN.PNG)
    ![Static Ipv4 Configuration-LAN.PNG_thumb](/public/imported_attachments/1/Static Ipv4 Configuration-LAN.PNG_thumb)
    ![Firewall-Virtual IPs.PNG](/public/imported_attachments/1/Firewall-Virtual IPs.PNG)
    ![Firewall-Virtual IPs.PNG_thumb](/public/imported_attachments/1/Firewall-Virtual IPs.PNG_thumb)
    ![Networ Address Translaton.PNG](/public/imported_attachments/1/Networ Address Translaton.PNG)
    ![Networ Address Translaton.PNG_thumb](/public/imported_attachments/1/Networ Address Translaton.PNG_thumb)

    ![Firewall-NAT-Port Forward-Edit.png](/public/imported_attachments/1/Firewall-NAT-Port Forward-Edit.png)
    ![Firewall-NAT-Port Forward-Edit.png_thumb](/public/imported_attachments/1/Firewall-NAT-Port Forward-Edit.png_thumb)
    ![Firewall-Rules-Port Forward.PNG](/public/imported_attachments/1/Firewall-Rules-Port Forward.PNG)
    ![Firewall-Rules-Port Forward.PNG_thumb](/public/imported_attachments/1/Firewall-Rules-Port Forward.PNG_thumb)

  • LAYER 8 Global Moderator

    Dude you have a rule on your wan that is ANY ANY…  WTF dude???


    You have a /16 on your wan?  Why??

    Why does your vip have  /32 mask if your network is /16?

    Why does your wan not have any gateway?  If your wan has no gateway... is nat even on?  Post your outbound nat tab.  What IP are you trying to hit this VIP ip you created from?

    Why do you have Pure Nat selected for nat reflection.. Do you really want/need Nat reflection?  Are devices on the 192.168.1 network going to hit the WAN IP to get reflected back in to the 192.168.1 network via port forward?

    Where is this drawing I do not see it... But so far this just looks completely borked!

Log in to reply