Help - new install

  • Hi there

    I'm trying to use pfsense as a permiter firewall.  I have one internal LAN host (open e SAN) on
    and I'm trying to ping it from the Wan side and connect to it on port 80 and ssh.

    The Wan address is on a /26 network and the LAN address on /31 (

    I think I need to set up a 1:1 mapping in Firewall -> Nat -> 1:1 but I don't understand which fields
    I need to set up. There are four in Nat -> 1:1 :

    Interface -> Wan
    External subnet IP ->
    Internal IP -> any
    Destination -> Single host or alias ->

    Is this correct please and do I need to set up a rule in the outbound NAT to route port 80 and ssh
    traffic back out? I can't ping nor connect on port 80 or ssh at the moment. Do I need
    to set up any Virtual IPs or anything else?

    Many thanks

  • First, is not a /31, it is a /24. Second, neither a /31 or a /24 subnet on would be able to get to Unless there is a typo in your post.

    You don't need to setup any NAT if you just want to get to the GUI on the WAN address. Just setup the firewall rules to allow port 80 and 443 (or any custom port you set) to the WAN address (an actual option in the firewall rule edit wizard).

    You must remember that the default rule is to drop all packets. This is the last rule in the chain, so  you must allow traffic, this also includes ICMP protocol for you to be able to ping the WAN address.

  • @BigLebowski:

    The Wan address is on a /26 network and the LAN address on /31 (
   == /24 == /26 == /31

    And minimum subnet which works is /30 and addresses is used: subnetname, host1(usually gw), host2 and broadcast

  • Thanks guys

    The /31 was a typo, the internal range is indeed /24. I got the "/31" from the Firewall: NAT: 1:1 -> Internal IP setting (greyed out in Single host -> Single host or alias box). Why is /31 in there by default?

    I want to be able to ping from any external WAN IP (by pinging which should be routed via the external /26 WAN network). Then, once that's working, I want to SSH to (again via and access it on port 80 from anywhere.

    I am unsure about how to set this up. Does it require just one entry in the Firewall: NAT: 1:1 table or do I also need to set up Nat -> Port Forward and/or Nat -> Outbound and/or Nat -> Virtual IPs? And do I also need to create any firewall rules?

    As you can tell I'm a newbie to this.

    Thanks again

  • You could do web browsing and SSH-access easily with portforward but that doesn't support ICMP.
    I'm sorry to tell, that i don't have possibility to test 1:1 NAT

  • I've set up the following 1:1 rule, but I still can't ping, ssh or telnet port 80 on

    Interface -> Wan
    External subnet IP ->
    Internal IP -> Type -> Single host
                      Address ->
    Destination -> Single host or alias

    I have to say I'm surprised there are both "Internal IP" and "Destination" because they seem
    to be the same to me, ie the destination is an internal IP. I don't think I'm grasping the
    difference between the two.

    Should the external subnet IP be the IP address I'm trying to connect from or the pfsense
    WAN IP?

    The problem might be that there's a "/31" greyed out in the "Source" box. I can't seem to edit


  • Have you created firewall rule on wan to allow that 1:1 to work?

  • Any gurus out there want to help me with this on an hourly basis? I can't afford the $600 and this should take an expert about 5 minutes to set up. I can pay by PayPal.

    It's only one SAN behind the firewall so can't be that diffciult to set up.

    pm me please.


  • I don't think you can setup a 1:1 for the same IP as the FW. You can port forward certain ports. I would setup a VIP (IP Alias) on (or what ever) and then use the 1:1 NAT to translate that to Then go and create FW rules. If you only have the 1 IP, then don't use 1:1 but use port forward.

Log in to reply