PfSense NAT port forwarding with one NIC



  • First let me start off by saying that I'm new to pfSense (and obviously the forums) and my first impressions are insanely good.

    My LAN setup is relatively simple. I've got one plastic ADSL router + AP in the ideal position for wireless broadcast, and right at the highest quality phone outlet in the house. From there there's a hardwired ethernet cable to my server area, where it goes into the main switch, PCs and the VMware ESXi server. Inside the sever there's another virtual switch (with promiscuous mode on) and my VMs, including pfSense.

    TL;DR: pfSense behind existing NAT, only connected to WAN interface.

    Right now it's operating as a DHCP server and DNS relay, and doing both beautifully. It also saves me the chore of re configuring the static DHCP leases in the plastic modem after a firmware update. The other major limitation my existing modem has is the port forwarding. It has a max of 32 entries (which I am close to reaching), and is also prone to being wiped.

    My question is the following. Would it be possible to designate pfSense as the DMZ in my modem, and then have pfSense handle the forwarding from there, back to hosts on the same LAN as the modem.

    Along the lines of:
    External host visits 123.123.123.123:8080 (my external IP (for the sake of example))
    My modem forwards to 192.168.1.2:8080 (pfSense's WAN interface)
    pfSense forwards to 192.168.1.12:8080 (web server) on the same interface it came in

    I want to continue using the modem as the default gateway so that in the event of server downtime people on the LAN can keep browsing so long as they fall back to secondary DNS and keep their DHCP leases.

    TIA, h89.

    Just to clarify, I'm male. It's hard to abandon a handle.



  • You will have nat issues this way unless you set outbound nat on pfsense to reach local services with pfsense ip.

    My suggestion is to install haproxy on pfsense and configure your proxied services there.

    In both configurations, server log wil never show client's public ip.


Locked