NAT to non-local internal subnet?

  • Hi All,

    I'm trying to replace a cisco router with a pfsense router (latest stable, embedded).  Once hiccup i've noticed is that pfsense doesn't seem to be able to port forward (DNAT)  IP's that aren't locally (non-routed) accessible.

    WAN  say I want to forward tcp port 8888 to tcp port 80

    LAN: (with a MPLS network routed via  ….. .....

    I would be able to forward to 192.168.0.x fine, but not to anything routed past that point on the MPLS network.

    Any suggestions/work-arounds?  I googled a previous discussion list where someone said it could be done, but didn't describe how.


  • What gateway does the netwok which is connected via MPLS have?
    Is the default gateway the same way back (via the pfSense)?
    If there is another default gateway, traffic gets NATd but the answer sent back directly
    (which wont work).

    For this you would have to enable source NAT
    –> traffic to the other side apears as if from the pfSense and thus make sure the answer goes back via the pfSense.

  • The MPLS gateway is routed via (so PFSENSE -> local net > MPLS gateway (this side has an interface on the local net) > MPLS network), and it isn't further natt'ed after pfsense has dealt with it.  The return path  from the MPLS is back via the same pfsense device (so it doesn't go out a different gateway, and pfsense should receive the packet and know it is related).

    I hate to ask a silly question - where can I find more information on how to do the source NAT'ing from pfsense? (how do I enable source nat)


  • After changing the interface to 'any' when setting up the nat we had success. Thank you for your time :) -

    Hopefully this post helps someone else in the future.

  • Umm.
    You shouldn't set that to any unless you know exactly what it does.
    Essentially anything that ever uses this port will now be redirected, even if is outbound traffic destined for the internet.

    Did you test this NAT forwarding rule from within your local LAN? Did you ever test from the outside?
    Because this't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F
    might be your problem.

  • Rebel Alliance Developer Netgate

    Did you add a static route on pfSense that told it 192.168.11.x is reachable via

Log in to reply