Port forwarding only working to /24 addresses



  • Hello all, Thanks for in advance for reading my question.

    My Pfsense setup is on a /16 subnet(The lan interface is 192.168.1.1/16) with devices ranging from 192.168.0-255.0-255 and they all can use the gateway fine and access the WAN correctly.

    However I simply do not understand what Port forwarding is doing.

    If I forward port 7000 from a WAN address to a device on the lan(192.168.1.232/16 for example) it will not work, UNLESS I change the subnet on the 192.168.1.232 device to /24.

    Example addresses of Port forwarding working
    192.168.1.232 With a Subnet of 255.255.255.0
    192.168.13.180 With a Subnet of 255.255.255.0

    Example addresses of Port forwarding not working
    192.168.1.232 With a Subnet of 255.255.0.0
    192.168.13.180 With a Subnet of 255.255.0.0

    I have tried different ports/devices and everytime it only works if the lan device is set to a /24 subnet.

    Any ideas?



  • I have nat configured on /22 networks with no issues, can you post a screenshot of your nat rule?



  • what's the source IP of the host you're port forwarding traffic from? Out on the Internet, or on a private network? my first guess is you're forwarding in from a 192.168.x.x network and hosts with a /16 mask see that as a local network, which means the replies won't go anywhere.



  • Thank you guys for the replies. I posted 3 images. One of my LAN interface, one of the port forward, and one of the related rule.

    I am forwarding the port from WAN address which is a public facing IP on a /5 subnet (It is not a 192 address)








  • I did not found erros on your config.
    Do your wan has a valid ip?



  • Yes it has a valid wan ip, and I can access the internet via internal devices on both /24 and /16 subnets, but the really odd part is that the ports forwards work fine if I change the device to a /24.

    Right now the websites in question are available and being used (Because I switched their internal ip to a /24), but it is really annoying to have to segment parts of our internal network for no logical reason.



  • Time to packet capture, start with the LAN on the firewall, filter on the destination host's IP. If you see it leaving there, go to the target server and capture.


Log in to reply