When to port forward

  • Hi,

    I have been using pfsense for a few months now in what seems to me to be a fairly straight forward environment.  However, I've been experiencing chronic problems with NAT and port forwards. Now I'm not at all sure I understand WHEN I need to create a port forward rule.

    I have 3 LANS (on either physical interfaces or VLANs). Attached to one LAN ( is a gateway router to the outside world.  This is a legacy LAN that can't be easily changed to move the WAN onto the pfsense box.  There's another WAN attached directed to the WAN interface but I don't think I'm experiencing any issues with it's usage so I've been ignoring it till now. Also attached is an interface to an openstack cloud with  two VLANs that host a bunch of services that use the gateway router.

    I can post more detailed information descriptions, but really my question is about when and why I need to create NAT rules.  I've looked around and read extensively and every time I think I get it I encounter a problem that really throws me - and I end up either deleting a NAT rule or having to create one without really knowing why (also a bad move). Is there a good, current, article/tutorial somewhere that explains when I need to NAT. For example I believe I don't need to NAT when going from my LAN to the Openstack VLAN - but I may be wrong. How does my indirectly connected gateway change things?

    I've also spent a very long time attempting to get SIP and RTP playing nicely. Again, I suspect that my NAT setup may be at fault. (static UDP port mappings for example). I feel sure a better understanding of what's going on would help.

    If it's relevant the firware is

    2.1-RELEASE (amd64)
    built on Wed Sep 11 18:17:48 EDT 2013
    FreeBSD 8.3-RELEASE-p11

    Thanks, Mark

  • You need to NAT anything with a destination that will not know how to reply to the source address. The usual cases are:
    a) Traffic with private source IP going out to the public internet.
    b) Traffic from "MyLittleLAN" to "BigCorporateLAN" when "BigCorporateLAN" has routers that don't have routes back to "MyLittleLAN". This typically happens when BigCorporateIT won't let LittleBranchOffice setup extra LANs for something, but LittleBranchOffice is going to do it anyway, and will thus just NAT into BigCorporateLAN.

    Port Forward is needed when the clients have no way to directly address the destination system, and thus need an intermediate place (the pfSense) that they can reach, and pfSense is able to reach the real destination system for them (or at least reach the next device in the chain that has another port forward… to eventually get there).

    I guess in a way they are used in the opposite situations:
    NAT when the source can reach the destination, but the destination cannot get directly back to the source.
    Port Forward when the source cannot reach the destination, but the destination can get directly back to the source.

Log in to reply