Setting up Port Forwarding for Minecraft Server on pfSense

Papa_Dragon · Jun 5, 2023, 7:55 AM

Hello pfSense community!

I'm seeking assistance with configuring port forwarding on my pfSense router for my Minecraft server. Here's a summary of my setup:

My PC has a local IP address of 198.168.0.xxx.
I need to forward TCP and UDP connections on port 25565 to my PC.
I've already allowed incoming and outgoing connections on port 25565 in the Windows Defender firewall.
Here are the steps I've taken in pfSense:

Logged in to the pfSense web interface.

Navigated to Firewall > NAT > Port Forward.

Created a port forwarding rule as follows:

For TCP/UDP

Interface: WAN
Protocol: TCP/UDP
Source: Single host or alias > Type: WAN Address > Address/mask: leave blank
Source port range: From port 25565, To port 25565
Destination: WAN address
Destination port range: From port 25565, To port 25565
Redirect target IP: 198.168.0.xxx
Redirect target port: Port 25565
Description: Minecraft TCP/UDP
NAT reflection: Use system default
Filter rule association: None
I've also gone as far as to create a rule for WAN. still nothing. I kindly request the community's review of my configuration. If I have overlooked any steps or if there are additional measures I need to take for the correct port forwarding setup for my Minecraft server, please let me know.

Thank you for your support!

SteveITS · Jun 5, 2023, 4:25 PM

@Papa_Dragon Source ports on the Internet are randomized…change your Source to Any.

Papa_Dragon · Jun 5, 2023, 4:25 PM

@SteveITS is everything else looking okay? Cause i tried just swapping the ports and i get nothing. the server is running off my PC not my actual server/homelab

SteveITS · Jun 5, 2023, 4:32 PM

@Papa_Dragon I'm not clear what you swapped...the Source port should be any port.

https://docs.netgate.com/pfsense/en/latest/nat/port-forwards.html#port-forward-settings
"Unless the service absolutely requires a specific source port, the Source Port Range must be left as any since nearly all clients will use randomized source ports."

Also see https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat-port-forwards.html. Note the PC's firewall must allow connections from the Internet.

Redirect target IP: 198.168.0.xxx
...might be a typo but 198.168.x.x is not a private IP rang.e

Papa_Dragon · Jun 5, 2023, 5:53 PM

@SteveITS

perfect!! i got working. i just had to delete the old one and created a new one
this is what i did

Disable: Leave this unchecked (enabled).
No RDR (NOT): Leave this unchecked.
Interface: Select "WAN" from the dropdown menu.
Address Family: Select "IPv4" from the dropdown menu.
Protocol: Select "TCP/UDP" from the dropdown menu.
Source: Leave it as "any source."
Destination: Select "WAN address" from the dropdown menu.
Destination port range: Enter "25565" in the "From port" box, and leave the "To port" box blank.
Redirect target IP: Enter your local PC's IP address (e.g., 198.168.0.xxx).
Redirect target port: Enter "25565."
Description: Add a short description to help you identify the port forward rule.

also the 198.168.0.xxx is infact my IP address range, i just didn't want to post it. thanks for the helop

SteveITS · Jun 5, 2023, 5:59 PM

@Papa_Dragon Glad it's working.

One wouldn't normally need a NAT forward for a public IP range though... if you're not at Gwynedd Mercy College that'll technically work behind NAT but devices on LAN won't be able to connect to the actual Gwynedd Mercy College subnet.

Papa_Dragon · Jun 5, 2023, 7:18 PM

@SteveITS im in Alberta Canada, so i have no idea what IP address that is. lol. i just pulled one from my head...

SteveITS · Jun 6, 2023, 2:41 PM

@Papa_Dragon
https://www.rfc-editor.org/rfc/rfc1918

FWIW I have also seen the occasional program that detects whether or not it's on a private IP range and changes its behavior accordingly. Or, private networks are allowed by default, public are not, etc.

patrickkhail

Thanks for sharing the configuration details!
I encountered a similar situation when opening ports for Minecraft on pfSense. In addition to the steps you did, you can try checking:

Firewall Rule: Make sure the rules for WAN are applied correctly.

NAT Reflection: Sometimes enabling NAT Reflection can help in internal testing.

Check ISP: Some carriers block port 25565, you may need to change the port to test.

pfSense Log: Check the log to determine if the request has reached the router.

Does anyone in the community have any tips to help make the configuration more stable?