Cant achieve simple port forward

  • i am sorry i have to ask this but this is absolutely confusing for me…i dont know why.

    behind my pfsense box is a mikrotik router. this router i connect to via the program called winbox. it uses port 8291.
    its ip is a simple internal ip thats ping'able form pfsense and they both can communicate back and forth.

    so for me to get to it i have to create a port forward rule.

    in port forward i should only need to fill in ...

    redirect ip and port.
    but i dont know why /what is the destination port. even though i am filling in 8291 which is the port i need to get it to go to its not doing it.

    a simple rule to redirect traffic from the internet to an internal ip with port 8291.

    i should be asking -- should i be creating a firewall -- rule orfirewall – nat -- port forward
    is pfsense really this messy?

  • If all you are really trying to do, is to open port 8291, on the router, for access from the internet, then a simple NAT Port Forward rule is all you need.  The firewall rule will be added automatically for you, assuming that you leave the Filter Rule Association at it's default value..

    You need to know the correct protocol to use:  TCP, UDP, or Both.  And the internal LAN address of the router.

    Then just connect to port 8291, on the WAN address of the pfSense box.


  • Netgate Administrator

    Setting up a port forward involves two parts:
    1. Set up a port forwarding rule.
    2. Set a firewall rule to allow the traffic.

    In fact the second part can be achieved easily (and automatically) by making sure the 'Filter rule association' field is set to 'Add associated filter rule' when you create the port forward. This is done in: Firewall: NAT: Port Forward:

    What does your rule look like?

    I have attached an example port forward rule from my own box.


    Edit: Eddie beat me to it!  ;) However you must make sure to either auto add the firewall rule, which results in the linked rule icon in my image, or add it manually.

  • i am not lying when i say i already did as the screen shot shows.

    its simply not working.

  • Netgate Administrator

    I believe you!  ;)
    I assume you also have the required firewall rule in place?

    Check the firewall logs for entries after you try to connect. I am not familiar with winbox but it does talk about using a special protocol to find the router (MNDP). Try changing the protocol in the port forward to 'any' and check that this has propagated to the firewall rule.


  • On your firewall rule, click "Log packets that are handled by this rule"

    Look at the firewall log and see if its getting passed.

  • @chpalmer:

    On your firewall rule, click "Log packets that are handled by this rule"

    Look at the firewall log and see if its getting passed.

    under Firewall: NAT: Port Forward: Edit – there is no log option ...

    however under firewall -- rules there is ... but we want to do the above and not this one.

  • If you have a port forwarded you must have an associated firewall rule for it to work.

    We're assuming that your trying to access this port from the WAN side of your pfSense router…  Correct?

  • @cylent:

    however under firewall – rules there is ... but we want to do the above and not this one.

    No, this is the rule associated with the NAT, that lets the traffic through the firewall.


  • ok lets start again.

    firewall – rules.

    added a new rule under WAN interface.

    then added a rule under nat - port forward ... see attached.

    still not working.

  • Hi,

    What about the connection (dsl / cable etc.) The specific rule is forwarded to pfSense box? You done rules right but if you don't use modem bridge mode it might be your problem. Let us know about it.


  • @cylent:

    still not working.

    Please provide more information:
    How are you testing it - (for example, how do you ensure the access attempt arrives on the pfSense WAN interface)? What is reported in your test? Do you see your access attempt reported in the firewall log?

    Does the target application need to be configured to allow the access you are attempting?

    Have you done a packet capture on pfSense WAN interface to verify the access attempt is reaching the firewall? Have you done a packet capture on the pfSense interface to which the target device is connected to verify the access attempt is being port forwarded?

    You have configured a port forward for TCP. Do you know the application uses TCP and not UDP? (You were asked this earlier and I didn't see an answer.)

    I have a couple of port forwards setup on my pfSense WAN interface to a server on an OPTx interface and I didn't have to do any more than setup the appropriate fort forward rules.

  • coming back to this again because last time i literally gave up.

    i have a router connected to the LAN port of my pfsense box.

    my lan ip on my pfsense is:

    my router is  accessed via port tcp 8291

    so i've created the following rule. (see attached image)

    and i've made sure the option "Filter rule association" to simplify things…

    and it isnt working. i dont know why and and how to see the firewall logs to see whats plugged and not.

    please help!

  • Nat reflection : enable

    fixed it.

    whatever it means!

  • Netgate Administrator

    Hmm, NAT reflection will 'reflect'  outgoing connections that are destined for incoming port forwards.

    E.g. You are running a web server behind pfSense and have setup port forwarding so that users on the internet can access it. You have a domain setup and dns records that point to your pfSense WAN interface so that your web server can be accessed via a url, This works as expected.
    However from within your network you cannot access the web server at, problem. This is because from inside your network the url resolves to your pfSense WAN interface, an outgoing connection.
    This results in either nothing or in the pfSense web interface appearing, sometimes with a security warning, instead of the expected web server.
    NAT reflection resolves this by correctly routing the connection back to your internal web server.

    The only way this should have made any difference in your case is if your were testing the connection from inside your network.

    Reading back through the thread we should have established that in the first post where as in fact it wasn't until Wallabybob asked:

    How are you testing it - (for example, how do you ensure the access attempt arrives on the pfSense WAN interface)?

    By that time you had lost the will to carry on! Sorry.  :-[


  • so in other words, nat reflection is bad?

    its seems to be the only working way.

  • Netgate Administrator

    No NAT reflection is the correct way to do this if you are using a URL to access an internal server.
    The Winbox software appears to use it's own dynamic DNS lookup somehow so this would probably apply.'t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F


    Edit: I can't find where I read that about WinBox and DNS now.

Log in to reply