How to Configure Port Forwarding in Pfsense, The Common Used Cases.
Pfsense port forwarding is needed to expose a LAN service (Internal Network Service) to the Internet, in some devices this is also referred to as a Virtual server.
Pfsense NAT and Port Forwarding
NAT is short for Network Address Translation, a common used case of NAT is internet browsing, in this case, a LAN IP address (for eg, 192.168.1.200) is mapped with the ISP-provided Public IP address, alongside, a local random port is also mapped with the corresponding external port.
On the other hand, port forwarding maps a fixed local IP address, and a fixed local port with an ISP-provided public IP address and the fixed external port, this exposes our internal local IP address and the Port on the Internet, thus any service running on this local IP Address will be exposed to the internet. Now to access the service from the internet the remote user uses our Public IP Address with already designated Public Port.
As a rule of thumb, Port forwarding is configured on the device that holds the public static IP address, it can be an ISP-provided device or Pfsense.
Here is more if port forwarding not working.
Port Forwarding Remote Desktop (MS RDP) On The Pfsense
For this tutorial, A Public IP address should be configured on your pfSense WAN interface.
In a freshly installed pfsense, by default, the inbound traffic is blocked, which means that an outside host cannot access any running service on the internal network.
To enable remote access for a windows machine running in our private network, we need to port forward Microsoft RDP (Remote Desktop Protocol) port 3389 in our pfsense. To enable move to Firewall–>NAT–>Port Forward–> Select the Add button with the up arrow. The page opens with some default values, and we just need to change the following settings:
- Interface: Select Wan interface (With Public IP).
- Protocol: TCP (MS RDP protocol uses port type TCP).
- Source: Any.
- Destination: Select the WAN address from the list.
- Destination Port Range: Choose MS RDP from the List (which is TCP 3389)
- Redirect Target IP: Local IP for windows machine.
- Redirect Target Port: This must be MS RDP chosen from the list.
- Description: Enter a good logical description.
Configuration screenshot:
Next, click the save button and apply changes.
To test the configuration, browse to canyouseeme.org and enter Port 3389, just click the Check port button, and the result should be a success.
If the port is still not exposed then it will show an error as shown in the screenshot.
Here is more if port forwarding not working.
If it’s a success then open the Remote Desktop Connection app on a remote machine, just use the Public IP address, the app uses 3389 port by default, so no need to mention it.
I hope you fine the explanation useful.
Port forwarding OpenVPN Server On The ISP Modem/Device
It’s a common case, the public IP Address is configured on the ISP modem and the pfSense WAN interface is configured with a private range IP Address, say, 192.168.1.200/24.
To expose an OpenVPN server which is set up on pfsense will require port forwarding on the ISP modem. The port forwarding is also referred to as a Virtual Server in some ISP modems. In this case, the configuration is done on the ISP modem, we need to expose the OpenVPN server port on our ISP modem or router, and normally, no configuration is needed on the pfsense.
let us consider that the OpenVPN server is configured to use the default port 1143 and also uses the pfsense wan interface for incoming traffic, the pfsense WAN IP address is 192.168.1.200/24, and this local IP Address is provided by the ISP modem/device through DHCP/Static. This used case is also referred to as, Accessing OpenVPN Server behind NAT.
For this case, we need to port forward the 1143 port on the ISP device. In common scenarios, this is done in the advance section of the ISP device, specifically in the Port Forwarding or Virtual Server section, also there is an internal and external range of ports, normally both internal and external ranges are set to use port 1143, and for the IP address, the pfsense WAN IP address 192.168.1.200/24 is entered.
Port forwarding OpenVPN Server On The pfSense
Here is an example of port forwarding on the pfSense which uses Public IP address on its WAN interface:
Move to Firewall–>NAT–>Port Forward–> Select the Add button with the up arrow. The page opens with some default values, and we just need to change the following settings:
- Interface: Select Wan interface (With Public IP Address).
- Protocol: UDP
- Source: Any.
- Destination: Select the WAN address from the list, carrying Public IP address.
- Destination Port Range: Choose Other from the List and then enter 1143 in start and end common fields.
- Redirect Target IP: Type: Single Host, Address: 192.168.1.200.
- Redirect Target Port: Type: Other, Custom:1143.
- Description: Enter a good logical description.
Although the WAN interface has the Public Static IP Address yet for added security port forwarding is used, this is also valid if there are multiple services/ports to expose while the ISP has provided just one Public IP Address.
In order to check whether our configuration is a success, browse the following URL:https://canyouseeme.org/. Just enter port 1143 while your WAN address is already registered, After selecting the Check port button, If its a success then the port forwarding is working properly on your ISP device, if not, then either you have misconfigured port forwarding or your ISP is using CG NAT (Consumer Grade NAT), If it’s a CGNAT then its a worst case scenario and port forwarding will not work at all.
Here is more if port forwarding not working.
Port Forwarding HTTP Web Server On the Pfsense
If you have a basic understanding that how port forwarding works in pfsense then enabling it for an HTTP web server that resides on your local network should be a piece of cake.
To start, move to Firewall–>NAT–>Port Forward–> Select the Add button with the up arrow. The page opens with some default values, and we just need to change the following settings:
- Interface: Wan Interface.
- Protocol: TCP (HTTP protocol uses port type TCP).
- Source: Let it be set at default settings which is type Any.
- Destination: You will choose WAN IP/Address for your Wan Interface.
- Destination Port Range: Choose HTTP from the List (which is 80 by default, but you may choose a custom port here).
- Redirect Target IP: This is the IP of your local desktop or PC/Server for which you want to enable port forwarding.
- Redirect Target Port: This must be HTTP chosen from the list.
- Description: Enter a good logical Description.
- Filter rule association: Let it be at its default.
- Click Save Button.
After this Apply changes and your new rule is ready.
Now it’s time to verify and test your newly created rule, for this open the following website in your browser canyouseeme.org and enters your HTTP Port 80 while it picks up your wan address automatically, and then click Check port.
If your configuration is a success then it will show you that it can see you from outside else it will generate an error.
Having Problems? Here is more for further assistance.
