Quick clarification on Firewall to use NAT or Rules?



  • Hello, sorry for the silly question, however my notes show to port forward using pfSense > Firewall > NAT, as per How can I forward ports with pfSense.

    However, I remember some pfSense people saying to use pfSense > Firewall > Rules.
    I have problems with port fowarding and currently use pfSense > Firewall > NAT.



  • Using NAT to setup port forwarding simplifies the two step process and links them so that if you change the NAT settings, the corresponding firewall rule will be updated automatically.



  • Thank you for the reply.
    So I've set the port forwards in pfSense, however SSH still won't access my computer behind pfSense.

    Could another unknown IDS be blocking packets?
    Maybe I need to use a traffic analyser to test the where the packets are being stopped?


  • LAYER 8 Netgate

    If you post the rule we can see if you're maybe doing something incorrectly.



  • Good idea.
    Oops, attachments aren't working on pfSense?



  • @eiger3970:

    Hello, sorry for the silly question, however my notes show to port forward using pfSense > Firewall > NAT, as per How can I forward ports with pfSense.

    However, I remember some pfSense people saying to use pfSense > Firewall > Rules.
    I have problems with port fowarding and currently use pfSense > Firewall > NAT.

    When to use NAT: When you have a public IP that is translated to a private one. An IP of 1.1.1.1 getting translated to 192.168.1.1. Network Address Translation.

    When to use pure rules: When you have a public IP assigned to a host behind pfsense. pfsense needs to merely decide if it should forward a packet to a host that is "directly" reachable (meaning it doesn't need to do any translation to get to it, I know even NAT hosts are directly reachable from the router's POV).

    In both cases remember that you are viewing the rule with the remote client's POV. A source port of 80 doesn't necessarily mean port 80 will be forwarded to the webserver. In the remote client's POV, your source 80 is his destination 80.


Log in to reply