NAT rules for letting 80/443 pass to server on LAN

swemattias

Hey all!
This is what I am always struggling with, opening the ports.
My LAN is 10.1.1.0/24 on the inside I have a server on IP 10.1.1.10. There I have a traefik reverse proxy installed, all seems good with that one.

Question is if I have made the two correct pass through rules.
I made them under NAT.
I have incoming to WAN, IPv4, TCP, Source to ANY port range set to 80 and 443.
Destination is set to LAN Address 80 or 443 Redirect target IP is set to Address or Alias 10.1.1.10.

When I try to reach a service from the outside, using my phone on 5G, nothing happens it just sits there trying to reach the service, that for me says, Firewall rules!

SteveITS

@swemattias The "source" port for Internet traffic is normally a random port. They would be connecting to port 80/443.

Destination is WAN address, your public IP.

https://docs.netgate.com/pfsense/en/latest/nat/port-forwards.html#example-port-forward-rule-for-http-tcp-80

johnpoz

@swemattias said in NAT rules for letting 80/443 pass to server on LAN:

Source to ANY port range set to 80 and 443.

yeah as @SteveITS mentations that is wrong - yes the IP would be any, but the port would also be any. You have no idea what source port would be used.. It really could be anything greater than 1024 and less then 65k

And can pretty much promise you it would never be the same as the destination, ie 80 or 443.. Only 2 applications that come to mind that do such a thing where source port is same as destination port is ntp (123 udp) and that is not always true, and a zone transfer with dns.. Again not 100% always true.

Should prob put a big disclaimer when users try to set source port.. Big popup that says YOU SURE?? Source port is almost always ANY.. If you are SURE, please type your admin password backwards, then solve this captcha, and now this different captcha, and then this 3rd captcha, now put in your 2FA, and then finally put in the value of pi to 72 digits. ;)

Then when finishing with a disclaimer - if this doesn't work, don't blame us we warned you and tried to stop you.

SteveITS

@johnpoz https://goulartnogueira.github.io/BadUI/

johnpoz

@SteveITS hahaha - yeah put all of those on there when you try and set a source port ;)

edit: in all my years (33+) in the biz - if you count when I started getting paid for doing just IT back in 92. Not counting the years I was doing IT for a company and just not getting paid for it since it wasn't my actual job, and running old school packet filter firewalls, stateful firewalls as we know today didn't come out til 90s something. I don't recall ever setting a source port on a rule, other than some really horrible UI, where there was no any and you had to put in a range 1024->65535

SteveITS

@swemattias FYI we're not making fun of you. :) This is a very common question/error.

--

@johnpoz One I liked from somewhere was:
Select phone number:
is this your number? 000-000-0001? (y/n) n
is this your number? 000-000-0002? (y/n)

There are many such pages now. That site was a search result.

johnpoz

@SteveITS haha - yeah that would be good ;) The one on the link for phone numbers that saw was like slider that would be impossible to land on your phone number..

I had never come across those before - will have to keep in mind for April 1st or something and throw that up - send an email to all my plex users and say oh got something good for you guys, where they go and get one of those horrible captchas.

swemattias

@SteveITS @johnpoz
My NAT setup was exactly as the example you posted.
And the https is a copy of this just changed all http to https.

SteveITS

@swemattias Ah, then we misunderstood.

Usually then it's a firewall on the web server that needs to allow from any IP. Did you find https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat-port-forwards.html ?

Edit: btw I ran into "Incorrect Gateway on Target" last week...not actually pfSense, tbf, but I was helping an HVAC tech and they didn't have the gateway set properly on the device so it only worked internally.

swemattias

@SteveITS Im haninging with the Firewall logs and see nothing of interest. Also checking the logs on the receiving end, ports are open. Nothing trying to accessing Traefik.

Bob.Dig

@swemattias Your screenshot is not complete. Also the firewall potentially is using port 80 already.

johnpoz

@swemattias if I go to the IP you post to the forum with on port 80, I get redirected to 443 - which I then get a self signed cert for "TRAEFIK DEFAULT CERT"

If I accept this cert it gives me a 404 error

"404 page not found"

I would say your port forwards are working just fine - and your having issues with the cert, or what your default page should be, etc.

Or maybe if your trying to access with a ddns fqdn - that is pointing to the wrong IP.. But the IP you used to recently talk to the forum is letting me into something trafefik.

If I want to test if ports are working I always go to can you see me . org - this uses the IP you talked to it with and then sends tcp traffic to the port you put in and tells you if you get an answer or not.

Bob.Dig

@johnpoz Maybe a NAT reflection issue then. PLS don't hack me, John.

swemattias

@Bob.Dig What more do you need?
And I am very sure that nothing else is using either 80 or 443.
Well I did have a acme/haproxy setup on the Netgate 2100.
I did delete all that before I added the new rules.

swemattias

@Bob.Dig

Bob.Dig

@swemattias Pls read what John and I wrote last. ~~Click the link I gave, maybe that is part of your problem?~~ Ok, you said your testing from outside, so it is not a NAT reflection issue. Your port forward is working according to John.

swemattias

@johnpoz Interesting, think you're on to something.
I removed the cert and trying to get a new one... so it is Traefik after oh well.

johnpoz

@swemattias yeah its still working - even looks like the cert was just updated because I got prompted again, or maybe I had cleared the exception.. But the cert is from today that is for sure.

Not Before
Fri, 05 Dec 2025 20:07:34 GMT
Not After
Sat, 05 Dec 2026 20:07:34 GMT

I get a 301, hitting 80 which is hey this has perm moved - and sends me to https://yourip

If I accept the cert I just get a 404 - there is clearly nothing wrong with the port forward setup, or actually talking to your server, since it sends me a 301 on 80, and then a cert on 443..

Won't post the IP using in the forum - but just sent you a PM with IP using and getting these responses from

If testing from outside has nothing to do with nat reflection.. What is the full url your trying to use - you can send it to me in answer to the pm I sent you - but just using IP I am getting answers.

johnpoz

@swemattias ok that fqdn you sent me works - get this

But it still has just a self signed cert - nothing wrong with that, but it could cause issues with apps, if your trying to use bitwarden app.. I use it, but I don't host my own vault.

And I checked - that fqdn does resolve to the IP I was using directly