Pfsense simple port forward



  • Hi guys, I am new here and hoping I can get some insight to a problem i am currently having. I am testing pfsense for the first time and trying to get some things figured out. Currently I have installed pfsense on a basic p4 machine and its running really smooth. I setup it right now as a basic internet router and for the most part it is running pretty well.

    Issues I am having:

    I setup my work machine (2 nics - 1 for main internet line, 2nd for testing purposes) with IIS installed running default configuration for everything. With pfsense, I have a spare IP that I am using to try and route to the iis default webpage but it doesn't seem to be working so well. I am just trying to type the extra IP address that I have and when i do it leads me to the pfsense login. When i try from a different machine, I get a failure to load webpage. I have disabled my firewall hoping that this would solve it and still nothing.

    Here is an image of the configuration:

    and this image is the firewall page showing the auto creation of the rule:

    I am also experiencing some issues regarding visiting certain webpages through pfsense.



  • The destination should be the WAN address or a Virtual IP on the WAN subnet. Make sure your webgui is not running on HTTP.



  • How do I check that? I am on default installation right now.



  • Default is https. It's under system, advanced, admin access tab, at the top.



  • I was actually just in there and I am attempting right now. I changed the TCP port number to 81 just for giggles but it doesn't seem to have an affect on it.

    I also tried checking the webgui redirect and that didn't make a difference.



  • Did you change the destination of the port forward to WAN?



  • No because I am trying to route it to an internal IP.


  • LAYER 8 Global Moderator

    The firewall rule is correct, it will show the IP he doing the nat/forward too not the wan address.

    As this
    "When i try from a different machine"

    So your trying to use nat reflection?  Or this other machine is on the wan side of pfsense? (internet)

    First thing I would do when having an issue with a port forward, is validate the traffic actually gets to pfsense WAN.. Simple packet capture take all of 10 seconds to validate.

    If you see it there, validate that it goes out the pfsense lan side interface with another capture.. Do you see the response from the server?

    These 2 tests should tell you right away what the problem is.. If you see on wan but not going out the lan, then something wrong with pfsense.  If you see it go out the lan but no response then firewall or configuration on the server your forwarding too.  Validate sending to correct IP, validate server actually sees the traffic if pfsense is sending out - maybe you have issue somewhere between pfsense and server your forwarding to.

    If you see on wan and and response on lan - maybe outbound nat on pfsense is wrong?  Since you didn't see response going back out on pfsense wan when you did the first wan sniff.

    Troubleshooting these issues should really only take you a few minutes to isolate where the problem actually is.


  • LAYER 8 Netgate

    @dotdash:

    Did you change the destination of the port forward to WAN?

    This has to happen for NAT to work from the outside.  Change the destination in the NAT entry from "LAN Address" to "WAN Address."

    Nothing is going to happen even with NAT reflection because the NAT entry is on the WAN interface.  No traffic will come into the WAN interface destined for "LAN Address."



  • @johnpoz:

    The firewall rule is correct, it will show the IP he doing the nat/forward too not the wan address.

    As this
    "When i try from a different machine"

    So your trying to use nat reflection?  Or this other machine is on the wan side of pfsense? (internet)

    First thing I would do when having an issue with a port forward, is validate the traffic actually gets to pfsense WAN.. Simple packet capture take all of 10 seconds to validate.

    If you see it there, validate that it goes out the pfsense lan side interface with another capture.. Do you see the response from the server?

    These 2 tests should tell you right away what the problem is.. If you see on wan but not going out the lan, then something wrong with pfsense.  If you see it go out the lan but no response then firewall or configuration on the server your forwarding too.  Validate sending to correct IP, validate server actually sees the traffic if pfsense is sending out - maybe you have issue somewhere between pfsense and server your forwarding to.

    If you see on wan and and response on lan - maybe outbound nat on pfsense is wrong?  Since you didn't see response going back out on pfsense wan when you did the first wan sniff.

    Troubleshooting these issues should really only take you a few minutes to isolate where the problem actually is.

    As i mentioned, I am new to pfsense. How do I perform such a test? I wouldn't know how to even read the result properly.


  • LAYER 8 Netgate

    Did you change the destination of the port forward to WAN?

    @Zero1:

    No because I am trying to route it to an internal IP.

    Did you do this?  Your config is wrong as originally posted.


  • LAYER 8 Global Moderator

    This is what derelict is saying - this is WRONG.

    See my example of forward to ntp






  • Even with the changes made, still nothing. I also enabled the NAT Reflection for 1:1 NAT for internal use.


  • LAYER 8 Global Moderator

    So you are trying to hit pfsense wan IP from a box on the lan side of pfsense - hoping to get redirected into your lan??

    Did you test to see if working from actual outside pfsense, and its just nat reflection your having an issue with?  Do you have a issue with firewall on your IIS box?

    I suggest you try from the outside and validate the traffic actually gets there..



  • After some testing, I managed to get it to work externally not internally (my machine typing in the ip address in the url and nothing happened).

    What can i do to make it work locally on my machine when I type in the external IP?



  • Try editing the Port Forward and turning 'NAT reflection' to 'Enable (NAT + Proxy)'.



  • Yup that fixed it. But why would I need the +proxy setting and not the pure NAT?



  • NAT + Proxy is the old way of doing reflection using netcat. I use it simply because I'm familiar with doing it that way. Pure NAT is the new way and is more scalable. It should work if you also check 'Enable automatic outbound NAT for Reflection' under Advanced, Firewall.



  • Ok now that everything is working, I am curious in trying to setup something else with this but I am unaware as to how this would work.

    1 ADSL connection w/ 5 usable IP addresses - intent for customers to login through our order entry and place orders. other website functionality lies on those IP addresses (cisco 800 series router from ISP, multiple home routers connected to it)
    1 VDSL connection w/ 1 IP address - office traffic and main servers etc…, ISP modem which is also setup as the router for wifi (one machine and few handsets).

    Currently all machines run through 10.0.0.x network (internal/VDSL) while some servers are multi-homed and also have 192 based IP's (ADSL connection) in order for customers to connect to us to use same servers. My boss set everything up with home routers. Hopefully all that makes sense and I didn't forget any information.

    I want to eliminate the multi-homed situation with these home routers and make everything run better off 1 internal private network. How would I go about such a setup? How many NIC's would I need for this or am I looking at a special setup for this?

    Do I need a managed switch on the other end of the router with a VLAN to handle the traffic?

    Much help appreciated.


Log in to reply