Run a server behind pfSense router

  • Hi there. So I've gotten pfSense to run but I don't know how to run a server to the public IP of my ISP.  I'm new at this and have never setup a server behind a firewall.  I'm just migrating the existing setup to pfSense because the existing hardware is too old and are switching ISP providers.  Basically, the server is a PC on the LAN and is somehow configured to be accessed publicly via a URL address.  I know that the URL is from GoDaddy and the dyndns is setup via  I've never setup dyndns before, so I don't know how it is able to see this computer which is behind an existing firewall and has it's own LAN IP.

    The server box itself is already configured and currently in use.  There is no configuration needed as long as I keep the same LAN IP range, which I will.  I just need to know how this server is forwarded to be accessed via its URL address (is forwarded the correct word?), then somehow apply that to the pfSense router.

    I don't know if I'm making sense here but can someone help me out?

  • For illustration, assume you have a dynamic public IP address (IP address changes from time to time) and you want to have a web server on your LAN accessible from the internet.

    You will register your systems name and public IP address with a dynamic DNS server so internet users can find your IP address. They will use this IP address to access the web server. The pfSense firewall should be configured to have a port forward rule so access attempts from the internet to port 80 (HTTP, web service) are forwarded to the appropriate system on the LAN. See for more information about configuring port forwarding.

    For other servers just add additional port forwarding rules.

  • Netgate Administrator

    What are you using as a router at the moment?
    You should be able to look at what ever you are using to see how that does it. Chances are it will be a simple port forward but it may be on a different port for instance.
    Are you still trying to setup failover?


  • Wow, that's what I was looking for, the port forwarding screen.  I just couldn't think of the name of that page until I read wallabybob's post :P . I guess somewhere in my head I thought it would be some ultra-cool named page like "DA SERVERS" or something like that ::)

    The current config is not completely clear to me because I don't have access to the current firewall device.  It was setup by someone else like 7 years ago who no longer does computer work.  It's an old Siemens firewall device.  So the current config is like this:-

    Server box -> smart 24-port switch (web based utility but not fully manageable) -> siemens firewall -> T1

    I'm upgrading everything to Gigabit since the server and other computers are gigabit capable and Comcast bottlenecks on the 100 Megabit switch.  So I wanna do this:-

    Server box -> Cisco 300 series 20-port managed switch -> pfSense device -> Comcast Internet & T1 (each connected to their own port on the pfSense device and FailOver enabled, T1 temporary till contract is out and I get a cheaper secondary ISP)

    So this is what I'm going for.  I talked to tech support of the guys who made the server software and they said that all the server needs is to be directly routed to the public IP, so port forwarding port 80 should work.  I'll know in a few hours if this is the case.  So I assume I'm good with the above setup?

  • Netgate Administrator


    in my head I thought it would be some ultra-cool named page like "DA SERVERS" or something like that ::)

    I don't think pfSense has an 'urban street' translation yet.  ;D


  • Ah snap, I found out that Comcast Business comes with a dynamic IP by default.  So it changes whenever it pleases, anywhere from 3 hours to 3 months!  That is soo messed up, and the guy says that it's the same for Home service as well ??? .  Anyway, I ordered the addon for 1 static IP address for an extra $15 a month and have to wait a week for it to kick in.  Oh well, the wait begins.

    Also, the siemens device wasn't a firewall, it was just a T1 gateway device which was already disconnected and not in use.  I couldn't tell before because it was on a rackmount and too hard to tell what's going on in the back until I took some pictures with my phone's camera 8) .  There were no connections and so I removed the device.  The firewall was this tiny box with a 2005 PC Engine board with AMD SC1100 @267MHz processor and 512MB Compact Flash card.  So no doubt it used some firewall software.

    Lol, too sleepy to ask any questions, later ;D

  • Netgate Administrator


    I found out that Comcast Business comes with a dynamic IP by default.

    That's what dynDNS services are for.


    The firewall was this tiny box with a 2005 PC Engine board with AMD SC1100 @267MHz processor and 512MB Compact Flash card.  So no doubt it used some firewall software.

    If that WRAP board is running m0n0wall (from which pfsense is forked) you may get some clues from it's config file.


  • Wait, so how does dynDNS keep track of all those IP changes and still manages to link it to a url?  And can I still use Failover in pfSense for this?

    (Just checked DNSmadeeasy, and they support monitoring upto 5 IPs and cost $50 to monitor more!)

  • @tomsawyer2k5:

    Wait, so how does dynDNS keep track of all those IP changes and still manages to link it to a url?

    It doesn't keep track of IP address changes by itself - it relies on holder of the name reporting IP address changes. For example, if I have registered it is up to me (or my system) to report changes in the IP address to which that name is to map. pfSense has a configurable service to report such IP address changes.

  • Wallabybob, please describe this service for me and how to configure it.  This sounds like the exact thing I'm looking for!  :o

    So assume that I have Internet Connection 1 connected to WAN and Internet Connection 2 connected to OPT1, and Local Connection 1 connected to LAN.  I have Failover enabled, no load balancing. Will this service you mentioned monitor the active incoming IP and report it to my dns provider?  Or am I at least close?

  • Netgate Administrator


    What would be nice would be if you could set pfSense's dynDNS client to monitor whichever interface was currently the default gateway. That way when it fails over and the gateway changes it would update the dynDNS service immediately. Unfortunately that doesn't appear to be possible. There may well be some technical reason for this. In fact it may work anyway.  :-\ Hopefully one of the developers might chime in here.

    It doesn't really matter for you since dnsmadeeasy is not one of the supported services.  ::) (though I'm sure it could easily be added)
    Where do you run the client? If the client is the type that detects what your public IP is by connecting to the service then it will simply update the dynDNS servers when your WAN switches. However it will be limited by the time between checks. Perhaps you can alter that?


    Edit: You could use this:


    Are you running the dnsmadeeasy client on your server?


  • Currently no.  In fact, I don't think they have their own software.  They have some methods that can be developed to monitor the change, but that requires time and development that I'd rather not do.

    Then I found this:

    According to this I can use DNS-O-Matic and somehow reroute that to DNSMadeEasy, according to pfSense docs link above.  What I need to know is what I need to setup in the pfSense device and how to do so.

  • Netgate Administrator

    As I said above there is no way of telling the built in dynamic DNS client in pfSense to use more than one interface in a failover scenario. What you need to do is run a client on your server (or on any machine that is behind pfSense) and have that check as often as it can be set to do so.
    Dnsmadeeasy appear to have a number of clients available:
    I have no idea how much it costs though.

    What OS is your server running?


  • OK, I thought there was some sort of built-in feature of pfSense that can tell which IP is currently being directed to the NAT that can be reported externally and that the same feature will be able to act immediately since it is within pfSense.  This way it doesn't have anything to do with Failover as it is simply looking at the input IP of the NAT.

    Take your pick, I got Windows Server 2008 R2, Windows 2000, Linux.  Heh, when I read the "Java/Cross Platform" I kinda didn't want to go that route.  Should've tried to click the link because I see the program "Direct Update" and "DynSite".  The server that I need to get online is the Server 2008 R2.

    So with one of the above programs running, it will simply update the IP address when there's a change.  The program will simply treat Failover feature in pfSense as a Dynamic IP change! If this is the case, then VERY NIIIIIIICE!

    This…is correct, right?

  • Netgate Administrator

    Exactly. Most dyndns client programs will ping out to some site in order to determine what their outgoing IP is, they don't rely on reading it from the machine they run on. E.g.
    The advantage of running it on pfSense is that it would know immediately if the IP changes where as running on the server behind there will be some delay. Since the pfSense dyndns client does not appear to be setup for multiwan it won't failover correctly. So although there is a built-in feature exactly as you suggested it's not usable in this situation.
    I'm still half expecting one developers to come in here and tell me I'm not reading it right.. ::)


Log in to reply