Forwarding ports on pfSense is a fairly simple process. When adding a port forward, you must also add a firewall rule to allow traffic in to the internal IP address designated by the port forward. There is an option to automatically add this rule when creating a port forward definition.
- Go to the Firewall menu, select NAT, then click on the Port Forward tab.
- Click on the + icon at the top or bottom of the screen.
- Choose the Interface for the port forward (likely WAN) and if needed, pick a virtual IP address from the External Address drop-down.
- Enter your forwarded port in the External Port range box(es)
- Enter the internal IP address you'd like to send that port to in the NAT IP box.
- Fill in a local port if it differs from the external port.
- Check the Auto-add a firewall rule checkbox
- Click Save which will return you to the Port Forward NAT screen, showing you all the NAT entries.
- Finally, click Apply Changes - wait a few seconds and test.
Port forwarding in 2.0 has been extended to allow for much more flexible and powerful configurations, but users not accustomed to firewalls allowing advanced NAT capabilities may find it confusing initially.
This section describes each of the fields on the port forward edit screen.
- Disabled - this allows you to disable the port forward entry without removing it from the configuration.
- No RDR - this setting negates redirection for traffic matching what is specified here. For advanced configurations, usually should be unchecked.
- Interface - this is the interface where the traffic is originated, usually WAN
- Protocol - the protocol of the traffic to be forwarded.
- Source - this allows you to match a specific original source of the traffic, and is hidden behind an Advanced button as in most cases it should be "any", allowing all Internet hosts through. The source port range when using TCP and/or UDP, and will almost always be "any". The source port is not the same as the destination port, and is normally a random port between 1024-65535.
- Destination - this specifies the original destination IP of the traffic, as seen before being translated, and will usually be "WAN address".
- Destination port range - this specifies the original destination port of the traffic, it is the outside port or ports you wish to forward.
- Redirect target IP - this is the internal IP where this traffic will be forwarded.
- Redirect target port - this is the internal port where this traffic will be forwarded, and is usually the same as the external port as defined in Destination port range.
- Description - enter a description for your reference.
- No XMLRPC Sync - this prevents the entry from syncing to other CARP members
- NAT reflection - this allows you to enable or disable NAT reflection on a per-port forward basis.
- Filter rule association - this allows you to add an associated filter rule, which gets updated when the port forward is updated, or add an unassociated filter rule (the behavior of 1.2.3), or "pass" which passes all traffic that matches the entry without having a firewall rule at all.
To explain how this screen's functionality translates into English: Take traffic entering the chosen interface, using the specified protocol, initiated from the specified source, destined to the specified destination, and redirect it to the specified target IP and port.
See also: Port Forward Troubleshooting