• hi,
    i am not so familiar with firewall rules, but i just want to access with a client, from my wan interface a webserver located in the opt1 interface. I have created a single rule on wan interface (see attachment). but I cant get access from my wan interface to the server and I am trying to access with https://<ipaddess>. lan works perfectly with the default rule.

    I ve also set the destination (opt1) in the rule to 'any' but no success. in the howto "Example basic configuration" from the wiki, there is mentioned "Always remember that rules are matched on the INCOMING Interface." which is the wan. So, I am missing anything?

    Thanx for your help


  • WAN subnet - this means only those who are on the same subnet as your internet IP will get through. Nobody else on the internet will be able to access it. Unless you have a very specific IP you want to allow access, Source should be Any.

    Do you have a NAT rule forwarding to the webserver? Based on your destination I would assume you would, but I still ask in case my assumption is wrong.

  • hi.
    I didn't know is was neccessary to create a NAT rule. I created a rule now according to the following howto:


    And it works. Thanx

  • oh, I still have a little problem. I have a router in front of the firewall where a client is connected. when I connect to the site, it only works with the IP but not with hostname (guess this is the filewall's hostname). The client get his IP from the router. I tried to activate DHCP on wan and assigned an address from this network, but no success. Do I have to create a rule for dns (i have only the dns forwarder)?

  • Anything outside of the WAN interface will only need to know pfSense's hostname, since pfSense is handling NAT.

    So when you try to access the website, you should be using the hostname of pfSense.

    If that's already what you're doing, then on the computer behind the router (assuming it is windows based) go to command prompt. Type nslookup, and then type the hostname of the pfSense box. If your pfSense box pulled its IP from the router, the router should have an entry for it and return the IP.

    If the IP does return, then in your web-browser you would simply enter the host minus .com/.net/.org…

  • LAYER 8 Global Moderator

    internet –- (router) --- network A --- (pfsense) --- network B --- webserver

    So this is your setup?  And you have some computer connected to the A network that you want to access your webserver on the B network?

    So I assume that both network A and B are private, ie they start with 10.x.x.x, 192.168.x.x or 172.16-31.x.x is this correct.  Since you have not give us any details to use as examples.  I am going to say A is and B is

    So in the example the interface on router network A interface is say and pfsense is and your client on this network is

    Now on your B network lets say pfsense has and your webserver is

    So you create a port forward (nat) on pfsense that forwards https to, this auto creates your firewall rule to also allow the traffic.

    So if your on your client on the A network and you go to (pfsense IP) on port https (443) it will forward you to your webserver.

    If you want to use name resolution lets call it web.domain.tld to get to your webserver than client on A needs to resolve that to (pfsense wan IP) to have pfsense forward the traffic on to your webserver.

    Now if you want someone on the internet to access your webserver.  You would need to setup a port forward on your router in front of pfsense that forwards to pfsense wan IP.  You then from the internet would access routers internet IP on port 443, it would forward you to pfsense wan IP, which then pfsense would forward to your webserver.

    If you want people on the internet to use a fqdn www.somedomain.tld to get there - then that name would have to resolve to the IP address of the wan interface on the router.

    So what exactly do you want to happen and more than happy to walk you through the config. Details of your IPs in use would be great for ability to use those exact details vs example networks.  Keep in mind if IP is private (listed above) then there are no issues with posting those details.  If your IP say the routers internet IP starts with public range, then please hide some of the details for example 24.x.x.42 as an example.

  • The network configuration is exactly how johnpoz described.

    router (DHCP)
    network A –- client (Tablet Blackberry Playbook)
    ( --- (
    pfsense - XAVIER (static address on both sides, DNS forwarder)
    network B --- webserver - WOLVERINE (linux, static address, HTTPS server)
    ( --- (

    The only one that has a WLAN is the router. So, the tablet is connected to the router via DHCP and has only the graphical interface, no command line terminal. This client on network A should be able to reach the webservice on network B. I don't want the webservice to be available on the internet.

    Now, the client on network A is able to reach the webservice - through the NAT rule - only with the pfsense IP ( But I want additionally to be able to reach the webservice by entering the name of pfsense (XAVIER) in the web browser.

    How can I achieve this?

  • LAYER 8 Global Moderator

    You need to setup Name resolution..  So your tablet uses router for dns?  Can it create records?  There is going to be no way to use a name if you can not resolve the name.  If you can not create records right on the tablet, then either via dns, wins or broadcast it has to be able to resolve the name.

    Since your double natting and on another segment there is NO way for you to broadcast for the name, etc.  So you need so sort of name services to resolve it for the tablet.

    What I don't understand is why your setup like this in the first place?  Why don't you just replace your router with pfsense as how its designed to be used ;)  And change your wireless router into an AP on your pfsense lan network - now your tablet will be on the same side as the webserver and be using pfsense as dns which you could create dns entries for your webserver name, or the tablet could even broadcast for it.

    edit: Is that router not really a router and a gateway?  Modem/Router combo?  Why do you need to isolate network A from B?  Are there other clients on network A or only this wireless tablet?

    • yes, my tablet uses the router for dns, but it cannot create additional records,
    • the tablet is the only client on this network A,
    • there was no client on netwok A till now as the tablet is new,
    • the router is a modem/router combo and the pfsense doen't have a modem on wan

    So you mean I should install the dns package to resolve? It will not function with the dns forwarder?

  • I'm pretty sure you can add static IPs to the router based on MAC. Once you create a static IP on the DHCP Service on the router, you've essentially added a DNS record.
    The only time this is an issue is when the computer adds a suffix to any address that doesn't have one. IE a windows computer on a domain, will often tack on a suffix. So you would enter xavier and it would tack on xavier.workgroup which results in the name not resolving. But since you're doing this from a tablet, you should be fine.

    Edit*: Netgear / linksys have always asked me for the hostname when entering a static IP.

    ** Random picture pulled off the interwebz to use as an example.

  • LAYER 8 Global Moderator

    What specific router do you have?

    As to dns forwarder?  Not sure what your asking - pfsense would be using dns forwarder by default normally.  And those are great for clients on the B network.  But A is not going to be able to ask pfsense for it..

    Guess you could open up pfsense to allow queries to its dns forwarder from the wan side, then have your tablet use that for dns.  Does your routers dhcp allow to hand out different dns other than itself?

    What router do you have - and we can work out the feature set we are limited too.

    edit: ok I found a thread about how to use a host file since it seems you can not actually edit the host file on the read only file system.  So this thread seems to go over a way you can add a host file functionality so you could resolve host names without dns, wins, broadcast, etc.

    As another option - you might want to look into putting your gateway (router) into bridge mode and then using pfsense as your actual gateway and getting another wireless router/ap to provide wireless access to your 1 network.  This way you remove the nat between your wireless network and your wired and will allow for easy access from your tablet to other boxes on your wired network, broadcasting for name - pfsense dns functionality where you can add hosts, etc.


  • @heavy1metal: I'm afraid, I can't define any static IPs to the router based on MAC


    • I have an old AVM Fritz!Box 7170,
    • unfotunately, the routers dhcp doesn't allow to hand out different dns other than itself, but pfsense could act as dhcp on the wan side,
    • if I would open up pfsense for the dns forwarder, which port would it be? I think I would open up again with a nat rule, isn't it?
    • I didn't plan to buy another wireless router or access point, but it's still a possibility,
    • going to read this article these days
  • LAYER 8 Global Moderator

    It might be possible to enable dhcp on the wan interface - but never even thought of doing such a thing since the wan is normally a the public internet, which is hostile network with clients outside your network you would never want to host dhcp to that ;)

    If you can not hand out different dns on your routers dhcp, then its kind of pointless to open up dns from the wan unless you set your tablet to use static dhcp/dns settings?

    Taking a look at the manual for the 7170 here, that looks like a very limited box and does not allow a lot of freedom to do much of anything from a networking side.. Your right I see very little features in the dhcp server.

    If I were you I would prob look into to replacing that box with a just a MODEM, I did not jump out at me in the manual if you could change it to that mode.

    If you could then pfsense would get your public IP on its wan, and then buy a different wireless router or even a true accesspoint to use on your network for wireless devices.

    Not sure where your located - but here in the US you can pickup a wireless router for $20 and use it as an AP.  Even if you leave your current fritzbox as nat and you continue to double nat.  Just turn off its wireless and or leave it on for guests to use, and then devices you want to be wireless and access your normal lan network you connect to the new AP that is on that network.

  • That router only has 8mb of flash… ouch.

    Pages 76-77 of the manual - No shit, they expect you to set the static IP client side. However you can do some basic lan segregation lol.

    If you have a wireless router laying around, or can get one second hand I would do that. Internet > router > Pfsense > Wireless > clients.

    If you're only using your tablet, then to make life easy I would make a bookmark for xavier's IP.

    DNS uses UDP port 53
    DHCP uses UDP ports 67-68