• I'm sure this has been asked before, but I'm having a hard time searching for the answer.  I have pfsense setup on my network and I'm registering dhcp static mappings in the dns forwarder.  On my local network (using NAT), when I type in my domain name in a web browser (foo.org, www.foo.org), it points to my pfsense box instead of pointing to the 'nat port forward' address.  So, for example…

    I type in "https://www.foo.org" in my URL bar.  It should get sent to but instead gets sent to

    In my NAT forwarding, I have...

    IF: WAN
    Proto: TCP
    Src addr: *
    Src ports: *
    Dest addr: WAN Address
    Dest ports: 443 (HTTPS)
    Nat IP:
    Nat Ports: 443 (HTTPS)

    Does anybody know how I can redirect www.foo.org to instead of  Thanks!

  • Update: Turns out you have to enable "NAT Reflection".  I ended up doing Pure NAT instead of split DNS because I have just one domain name and do port forwarding.  I'm not sure if I could do that with split dns.

    I followed the instructions here to do this.


    After configuring it for NAT Reflection, it works exactly as I wanted it to.

  • LAYER 8 Global Moderator

    To be honest, much easier to just create host over ride in pfsense dns to point www.foo.org to

    Nat reflection for 1 is a hairpin, which is not good performance wise ;)

  • Thanks for the information.  I read exactly what you said in the manual, so I get the feeling that I'm not doing something right, but here's the problem…  I route ports to different ip's.  For example:

    tcp/22 ->
    tcp/443 ->
    tcp/5001 ->
    tcp/10000 ->

    So, if I say "www.foo.org", how do I make tcp/22 go to .3 and tcp/443 go to .15 when I tell pfsense that all of *.foo.org goes to


  • LAYER 8 Global Moderator

    You don't  But that is not a normal configuration..

    I would do it this way, since if your sending 22 to .3, that is not really www.foo.org now is it ;)  So ssh.foo.org would be better or ssh.www.foo.org if you wanted.  I have to assume your sending both http and https to .15 so www.foo.org points to .15 works for both of those.  And 10k.foo.org for port 10000 pointing to .19

    you have 4 different IPs there they are not all www.foo.org  Other way you could do it other than NAT reflection is actual forward on your lan side that says if going to IP (www.foo.org) on port 22, really send it to .3, same for your 10k port