Webserver not accessible via WAN, pfsense behind fritzbox

  • Hi,
    I'm fairly new to pfsense and currently setting up my SG-3100.
    I have a small rPI4 ( running on the OPT1 port with a small nginx server. Additionally, I use a fritzbox as modem and have configured the SG-3100 as exposed host. Fritzbox ( and pfsense( have different subnets

    The nginx server should be accessible on port 80 from the Internet.
    So far, I have configured my firewall rules so that I can access the nginx server from my LAN and also that I can perform ping and nslookup from the rPI to the WAN, which works fine. I tried to configure the NAT rules to translate from the incoming WAN to my OPT1 network which does not work as the nginx server is not accessible via the Internet.
    These are my NAT rules:
    alt text
    The related firewall rule was generated automatically:
    alt text
    I'm trying to access the server with my smartphone which is connected via mobile internet via my public IP of my home network as dynDNS is not configured, yet.

    My main problem is that I do not have a clue on how to continue the investigation on what might be wrong. Hope that you can point me into a direction on what to check and what might be set-up the wrong way.


    Can someone explain to me how to upload pictures? I tried with .jpg and .png. Both did not work, so I uploaded the screenshots to imgur ... .

  • @renpen
    The NAT rule on WAN must have "WAN address" as destination.

  • Hell yeah ... , simple as that. Thanks a lot!
    Although I do not quite understand why.
    The destination network is OPT1 as the server is running there. I want the traffic to be translated from WAN to OPT1. Why is it WAN, can you elaborate on that? Probably I got a concept wrong here?

  • @renpen
    That's a NAT rule.
    pfSense analysis the incoming packets. Each has a source IP and a destination IP in its header. In a NAT rule you instruct pfSense to forward a packet to a specific host behind if it has a specific destination IP.
    Now, you address your access to your public WAN IP. The FB forwards it to the pfSense WAN IP (it rewrites the destination IP). So the destination IP pfSense sees is the WAN address.

Log in to reply