Pfsense port forwarding is needed whenever we need to expose a LAN service (Internal Network Service) to the Internet, in some devices this is also referred to as a Virtual server.

Pfsense NAT and Port Forwarding

NAT is short for Network Address Translation, in Nat, a LAN IP address (for eg, is mapped with the ISP-provided Public IP address, alongside, a local random port is also mapped with the corresponding external port. As a result traffic from all local devices appears to originate from the Public IP address.

Nat is very common, for e.g, Nat is used by our ISP-provided device whenever we try to browse something over the Internet such as youtube or any other internet service.

On the other hand, port forwarding maps a fixed local IP address, and a local port with an ISP-provided public IP address and the corresponding port, in other words, the internal IP address and an internal port is mapped with an external Public IP address and external port. In short, port forwarding allows incoming internet traffic to reach our internal private network using a designated external port and a public IP address which are mapped to an internal port and an internal IP address.

As a rule of thumb, Port forwarding is configured on the device that holds the public static IP address, it can be an ISP-provided device or Pfsense.

Having Problems? Here is more for further assistance.

Port Forwarding Remote Desktop (MS RDP)

In a freshly installed pfsense, by default, the inbound traffic is blocked, which means that an outside host cannot access any running service on the internal network.

To enable remote access for a locally running Microsoft windows machine, we need to port forward RDP (Remote Desktop Protocol) port 3389 in our pfsense. To enable port forwarding move to Firewall–>NAT–>Port Forward–> Select the Add button with the up arrow. The page opens with some default values, and we just need to change the following settings:

Interface: Select Wan interface.

Protocol: TCP (MS RDP protocol uses port type TCP).

Source: Any.

Destination: Select the WAN address from the list.

Destination Port Range: Choose MS RDP from the List (which is TCP 3389)

Redirect Target IP: Local IP for windows machine.

Redirect Target Port: This must be MS RDP chosen from the list.

Description: Enter a good logical description.

Configuration screenshot:

Next, click the save button and apply changes.

To test the configuration, browse to and enter Port 3389, the Public IP address is already picked, just click the Check port button, and the result should be a success, in this case, open the Remote Desktop Connection app on a machine at a different location, and type just the Public IP address, the app uses 3389 port by default, so no need to mention it.

If the port is still not exposed then it will show an error as shown in the screenshot.

Having Problems? Here is more for further assistance.

I hope this explanation makes sense to you.

OpenVPN Server Behind NAT

It’s a common case, the public IP Address is configured on the ISP modem and the pfSense WAN interface is configured with a private range IP Address, say,

In this case, setting up an OpenVPN server on pfsense will require port forwarding on the ISP modem. The port forwarding is also referred to as a Virtual Server in some ISP modems. In this case, the configuration is done on the ISP modem, we need to expose the OpenVPN server port on our ISP modem or router.

let us consider that the OpenVPN server is configured to use port 65001 and the pfsense WAN IP address is, this IP Address is provided by the ISP device through DHCP.

In this case, we need to port forward the 65001 port on the ISP device. In common scenarios, this is done in the advance section of the ISP device, specifically in the Port Forwarding or Virtual Server section.

There is an internal and external range of ports, normally both internal and external ranges are set to use port 65001, and for the IP address, the pfsense WAN IP address is entered.

Here is an example of port forwarding in pfsense, Although the WAN interface has the Public Static IP Address yet for added security port forwarding is used. This is also valid if there are multiple services/ports to expose while the ISP has provided just one Public IP Address.

In order to check whether our configuration is a success, browse the following URL: Just enter port 65001 while your WAN address is already registered, After selecting the Check port button, If its a success then the port forwarding is working properly on your ISP device, if not, then either you have misconfigured port forwarding or your ISP is using CG NAT (Consumer Grade NAT), If it’s a CGNAT then its a worst case scenario and port forwarding will not work at all.

Having Problems? Here is more for further assistance.

HTTP Web Server Port Forwarding

If you have a basic understanding that how port forwarding works in pfsense then enabling it for an HTTP web server that resides on your local network should be a piece of cake.

To start, from the top menu choose Firewall then NAT, and on the Port, Forward Tab choose to Add. After this add the following configuration as shown below:

Pfsense sample configuration for nat port forward web server.
Pfsense Example configuration for Reverse Nat port forwarding an HTTP web server.
  • Interface: As my Wan Interface.
  • Protocol: TCP (HTTP protocol uses port type TCP).
  • Source: Let it be set at default settings which is type Any.
  • Destination: You will choose WAN IP/Address for your Wan Interface.
  • Destination Port Range: Choose HTTP from the List (which is 80 by default, but you may choose a custom port here).
  • Redirect Target IP: This is the IP of your local desktop or PC for which you want to enable port forwarding.
  • Redirect Target Port: This must be HTTP chosen from the list.
  • Description: Enter a good logical Description.
  • Filter rule association: Let it be at its default.
  • Click Save Button.

After this Apply changes and your new rule is ready.

Now it’s time to verify and test your newly created rule, for this open the following website in your browser and enters your HTTP Port 80 while it picks up your wan address automatically, and then click Check port.

If your configuration is a success then it will show you that it can see you from outside else it will generate an error.

Having Problems? Here is more for further assistance.