port forwarding router behind pf sense



  • My current setup

    Hi, I'm new to pfsense and I'm a newbie in networking and I was wondering how to portforward to host a website on my server in this current setup (see the picture above). I read somewhere that I have to create a DMZ, but for that I would need another lan adapter on my pfsense machine which I don't have. Is there any other way?

    Thanks you in advance



  • Hi,

    If you want to keep that router between your server and pfSense, then you have to add a NAT rule in that router.
    No need to use DMZ nowhere.

    Thus - example : your port to NAT is XX ::
    A NAT rule for pfSense : From (source) any : port "XX" to destination 10.0.0.10 port "XX".
    A NAT rule for the router : From (source) any : port "XX" to destination 172.168.0.2 port "XX".

    Most of use have a router in front of pfSense because "pure modems" are not available from the ISP. It's pretty the same situation.

    edit : what about swapping that Router for a smart switch (VLAN capable).
    With such a switch you can 'run' multiple LAN's on a single NIC. Just create a separate LAN (== VLAN) for your server. Add adequate rules on every LAN. That's what you call a DMZ.



  • Hi Gertjan,

    Thank you for your quick reply you gave me a lot to think about. The reason i put the router there is because i also want WiFi access behind the firewall. But now i kind of like your idea of putting the server in another vlan so i might look into getting a smart switch like you said but then again, i want to have access to WiFi behind that pfsense so what should I do? put the router in bridge mode then connect that smart switch to that router?

    And i got another question about the router in front of pfsense. Is that why every time i reboot pfsense i need to reboot the modem to have a wan IP? I don't know what a pure modem is


  • LAYER 8 Global Moderator

    @Noobit said in port forwarding router behind pf sense:

    i want to have access to WiFi behind that pfsense so what should I do? put the router in bridge mode then connect that smart switch to that router?

    To use a wifi router as just an accesspoint (provide wifi to network its connected to) you do not need to put it in bridge mode.. Just turn off its dhcp server.. Set its lan IP to be on the network your going to connect it too.. in your case for example the 10.0.0.10/24 address would work..

    Then just using one of the wifi routers "lan" ports connect it to your network.. Now anything on the routers wifi or connected to another one of the routers lan ports will be on your 10.0.0/24 network - get dhcp from pfsense.

    You can then port forward to on pfsense to server on the 10.0.0/24 network be it wifi or wired.

    That being said sure if your wanting to open up stuff to the public, its better to maybe isolate that device from the rest of your network... This can be done with another interface on pfsense, or sure a smart switch and vlans.

    If your wanting to create different wireless network - then the wifi router needs to support that, most soho wifi routers do not - atleast not with native firmware. You could try using 3rd party firmware like ddwrt or openwrt if your router is supported to allow for vlans.

    Better solution would be to get a real AP that supports vlans, and then yes a smart switch that supports them as well..



  • Hi Gertjan,
    Just wanted to let you know that I tried the nat rules like you said and it worked perfectly now. I was making a huge mistake while creating rules in pfsense but now i understand. I learn a lot today, so I'm very happy right now. So thanks you very much for your help. The next step will be to buy myself a smart switch like you said and put my server in another vlan so I might have another question soon :)


Log in to reply