[Solved] Port forward to a different port number

  • I'm trying to use NAT to forward an external port X (e.g. 8080) on WAN to a server on the LAN on port Y (e.g. 80). I followed the steps on doc.pfsense.org and I use the add firewall rule automatically.
    This seems to work only if ports X and Y are the same. If I add a different port number to the "Redirect target port" on the NAT page it does not work. I'm on 2.1.

    For example, the values on the NAT page are:
    Interface: WAN
    Protocol: TCP
    Destination: WAN address
    Destination port range: 8080
    Redirect target IP:
    Redirect target port: HTTP (80)
    NAT reflection: use system default
    Add associated filter rule

    The filter rule is:
    Action: Pass
    Interface: WAN
    Source: any
    Destination port range: HTTP

    How can I make this work with different ports?

    Thanks in advance.

  • I just put a somewhat "random" port forward into my home system and got this in /tmp/rules.debug

    # NAT Inbound Redirects
    rdr on vr1 proto tcp from any to port 4350 -> port 4200

    It looks like a reasonable pf redirect from port 4350 to port 4200.
    What is in this section of your /tmp/rules.debug?

  • Thanks for the reply, Phil.

    I have the following in the:

    NAT Inbound Redirects

    rdr on em1 proto tcp from any to xxx.xxx.xxx.xxx port 8080 -> port 80

    where xxx.xxx.xxx.xxx is the WAN IP I masked. It looks good to me, too.

    Is it the auto-added firewall rule, then?

  • My auto-added rule looked OK. The rule should be to permit the IP and port after NATranslation, because NAT happens first, then the firewall rules are processed. For you, there should be a rule to permit port 80.
    One tricky point is that the rule is added to the end of the existing rules. So if you have some combination of pass and block rules already on WAN, then the auto pass rule at the end may not be effective (an earlier wide-ranging block rule might stop the traffic first. If so, then move the auto rule up to/near the top.

  • Thanks, Phil, that was it. The rule was added to the bottom and an earlier rule blocked the traffic.
    Easy. Thanks for your help.

Log in to reply