NAT question

  • I have a small office LAN with a few clients and a server on It is connected to the LAN port of the pfsense ( The WAN-port of the pfsense ( is connected to an internet access gateway (VDSL-router on WAN address space is On the WAN side of the pfsense there is a webserver (, that is accessible by all clients on the LAN side, but, for security reasons, has no access to the LAN side. At the moment this works fine. However, I'm planning a change the configuration, that will have the effect, that the LAN clients cannot access the WAN network segment ( any more.
    Now my question: is it possible to create a virtual IP in the pfsense, lets say, that is directly forwarded to the webserver on WAN side, so that I can reach it by in the future (instead of from clients that are located within my LAN segment?
    If anybody knows a solution, please help!

  • LAYER 8 Global Moderator

    Why would you do that? Why not just allow the lan clients access to on 443?

  • Dear johnpoz, what you suggest is the situation at the moment. It works fine. However, for a quite complicated reason, it would be desirable to have access to the webserver outside the LAN by using an IP-address within the LAN address space.

  • Also wondering what you try to achieve with that.
    However, yes, it is doable. Add as an "IP alias" (Firewall > Virtual IPs) to the LAN interface, then add a NAT rule to forward that IP to the webserver.

  • @Viragomann: Thanks for the good news that this is possible. Now I tried a lot, but was not successful yet. When creating a VIP of type "IP alias" ( for the LAN interface, I end up at the administrative surface of the pfSense, when connecting to this port. So I tried a VIP of "other" type. On the NAT mapping page, it is not clear to me, which kind of NAT mapping I should choose: "port forwarding", "1:1", "outbound" or "NPt", could you help me a step further?

  • So you use port 443 for the pfSense Web interface?
    You may change the port in System > Advanced > Admin Access.
    Also you should check "Disable webConfigurator redirect rule".

  • LAYER 8 Netgate

    Put the IP Alias VIP on LAN.

    Put a port forward on LAN forwarding connections to the VIP:443 to the Web Server:443.

    That will override the connection to the WebGUI. You will still get the web gui on the LAN address:443

Log in to reply