NAT back through WAN

  • I'm fairly well versed in how to use PFSense, but I'm no network guru. Here's my scenario…

    I'm using PFSense as a firewall between my home network and a virtual network that I have running on a VMWare server in my home.
    PFSense has two virtual NICs, one that binds to the physical network card on my VMWare host sever, and the other a virtual LAN interface.
    I have configured NAT rules that allow port forwarding from my home network to my virtual servers - all is good.
    I have configured my home network router's DMZ host to the PFSense server on my virtual LAN.
    I have additional rules that port forward incoming traffic to the PFSense server (destination) and NAT to local virtual servers, so I can access my virtual servers from across the Internet.

    I am now trying to expose a physical device that lives on my home network, via PFSense. Effectively, I want incoming Internet traffic to continue going to the DMZ PFSense server, and have PFSense NAT the incoming traffic on a designated port to the physical hardware on my home network, instead of the virtual LAN. Effetively, I am trying to NAT incoming WAN traffic back out to the same WAN interface to reach traffic on my home network.

    Summary of IPs:

    Home LAN:
    Home Router:
    Home DHCP:
    Home Router DMZ Host:

    VMWare Host:
    VMWare Internal LAN:

    PFSense External NIC Address:
    PFSense Internal NIC Address:

    Physical Device on my home LAN:

    So, in short, I am trying to NAT incoming WAN traffic (via DMZ) to, which is on the same subnet as the WAN NIC.

    BTW, My router does not allow multiple DMZ hosts and the port forwarding on my router is not as flexible as PFSense, which is why I'm not port forwarding on my edge router.

    Can anyone point me in the right direction?



    P.S. Those IP addresses are not the real ones I use (for security).

  • I'm not expert but I think this should work. However, I don't think you'll be able to route all traffic because then you won't be able to route other traffic to your VMs.

    I believe you'll simply need to be specific in your NAT rule to specify which ports you want NATed (ie. And make sure you add the firewall rule as well.

  • LAYER 8 Netgate

    I don't think this will work.

    You need to do this port forward in your ISP router.

    A specific port forward should take precedence over the "DMZ" host setting. This is generally how it works.

    So put a port forward in your ISP router for WAN:443 to and everything else should go to the "DMZ."

    If your ISP router is no good, put it in bridge mode and let pfSense get the public IP address.

Log in to reply