NAT fails when Captive Portal is enabled
I spent hours in bewilderment trying to find out why I just couldn't get a simple port forward to work, before I stumbled upon this ticket: http://cvstrac.pfsense.com/tktview?tn=1565
Turns out that you must add both a MAC and an IP passthrough in the Captive portal for the servers you are forwarding ports to. Otherwise the forwarded traffic simply will not go out of the pfsense box.
I think it would be a good idea if the Pfsense GUI gave some kind of warning about this. Just a comment on the Captive portal page would help. Even better would be a warning when pfsense detects that you have enabled both the Captive portal and NAT forwarding.
Actually, the problem is worse: apart from the server, it seems I also need to provide the IPs of the clients in the "allowed IP addresses" table for the port forwarding to work so that the clients on the lan side can access the server.
This would be a security risk however, as IP addresses can obviously be changed very easily on clients: connect once with a valid login through the captive portal, then use the assigned IP in the future without needing to login.
Thanks for that, this was driving me nuts. There was one machine which intermittently allowed inbound connections. I could see no difference in the rules applied to it vs other machines. Turned out it was allowed through the captive portal by MAC address whereas the others were being let through via IP. Added an IP rule and everything's fine.