Port forwards allow access to a specific port, port range or protocol on aprivately addressed internal network device. The name “port forward” was chosenbecause it is what most people understand in this context, and it was renamedfrom the more technically appropriate “Inbound NAT” to be more user-friendly.Similar functionality is also called “Destination NAT” in other products.However, “Port Forward” a misnomer, as port forward rules can redirect entireprotocols such as GRE or ESP in addition to TCP and UDP ports, and it can beused for various types of traffic redirection as well as traditional portforwards. This is most commonly used when hosting servers, or using applicationsthat require inbound connections from the Internet.
See also
Hangouts Archive to view the May 2016 hangout for NAT on pfSense softwareversion 2.3, The June 2016 hangout on Connectivity Troubleshooting, and theDecember 2013 Hangout on Port Forward Troubleshooting, among others.
Risks of Port Forwarding¶
In a default configuration, pfSense® software does not allow any trafficinitiated from hosts on the Internet. This provides protection from anyonescanning the Internet looking for systems to attack. When a port forward ruleexists, the firewall will allow any traffic matching corresponding firewallrules. The firewall does not know the difference between a packet with amalicious payload and one that is benign. If the connection matches the firewallrule, it is allowed. Host based controls must be used by the target system tosecure any services allowed through the firewall.
Port Forwarding and Local Services¶
Port forwards take precedence over services running locally on the firewall,such as the web interface, and SSH. For example this means if remote webinterface access is allowed from the WAN using HTTPS on TCP port 443, a portforward on WAN for TCP 443 will take precedence and the web interface will nolonger be accessible from WAN. This does not affect access on other interfaces,only the interface containing the port forward.
Port Forwarding and 1:1 NAT¶
Port forwards also take precedence over 1:1 NAT. If a port forward is defined onone external IP address forwarding a port to a host, and a 1:1 NAT entry is alsodefined on the same external IP address forwarding everything into a differenthost, then the port forward remains active and continues forwarding to theoriginal host.
Port Forward Settings¶
When creating or editing a port forward entry, the following settings areavailable:
- Disable:
A checkbox to optionally Disable this NAT port forward. To deactivate therule, check this box.
- No RDR (NOT):
Negates the meaning of this port forward, indicating that no redirectionshould be performed if this rule is matched. Most configurations will not usethis field. This would be used to override a forwarding action, which may beneeded in some cases to allow access to a service on the firewall on an IPaddress being used for 1:1 NAT, or another similar advanced scenario.
- Interface:
The interface where the port forward will be active. In most cases this willbe WAN. For additional WAN links or local redirects this may be differentinterface. The Interface is the location on the firewall where traffic forthis port forward enters.
- Address Family:
The address family for the IP address on which this port will be forwarded,either IPv4 or IPv6.
When an interface contains addresses of both families, the appropriate addresswill be used. Additionally, when selecting an interface it must have addresswhich matches this type. When selecting a specific IP address, the addressfamily must match the selected address.
- Protocol:
The Protocol of the incoming traffic to match. This must be setto match the type of service being forwarded, whether it is TCP, UDP, oranother available choice.
Most common services are TCP or UDP, but consult the documentation for theservice or even a quick web search to confirm the answer. The TCP/UDP optionforwards both TCP and UDP together in a single rule.
- Source:
These options are hidden behind an Advanced button by default, andset to any source. The Source options restrict which source IP addressesand ports can access this port forward entry. These are not typicallynecessary.
If the port forward must be reachable from any location on the Internet, thesource must be any. For restricted access services, use an alias here soonly a limited set of IP addresses may access the port forward.
Unless the service absolutely requires a specific source port, the Source PortRange must be left as any since nearly all clients will use randomizedsource ports.
- Destination:
The IP address where the traffic to be forwarded is initially destined. Forport forwards on WAN, in most cases this is WAN Address. Where multiplepublic IP addresses are available, it may be a Virtual IP (seeVirtual IP Addresses) on WAN.
If Invert Match is checked, the port forward will match any packet whichdoes not match the specified destination instead.
- Destination port range:
The original destination port of the traffic, as it iscoming in from the Internet, before it is redirected to the specified targethost.
Note
If forwarding a single port, enter it in the From port box and leavethe To port box blank.
A list of common services is available to choose from in the drop down boxesin this group. Port aliases may also be used here to forward a set ofservices. If an alias is used here, the same alias must be used as theRedirect target port.
- Redirect target IP:
The IP address where traffic will be forwarded, or technically redirected.When using an IPv6 target, it must be of the same scope as the destination.
Note
When using an alias as a value for this field, it should only contain asingle IP address. Using multiple addresses will result in trafficbeing redirected to the target hosts in a round-robin fashion, but it isnot ideally suited to that task. If one of the target hosts is down,traffic will still be forwarded to the unreachable target.
For situations requiring forwarding to multiple hosts, such as loadbalancing or failover scenarios, use the HAProxy package.
- Redirect target port:
Where the forwarded port range will begin. If a range of ports is forwarded,e.g.
19000-19100, only the local starting point is specified since thenumber of ports must match up one-to-one.This field allows opening a different port on the outside than the host on theinside is listening on. For example external port
8888may forward tolocal port80for HTTP on an internal server. A list of common services isavailable to pick from in the drop down box.Port aliases may also be used here to forward a set of services. If an aliasis used here, the same alias must be used as the Destination port range.
- Description:
As in other parts of pfSense, this field is available for a short sentenceabout what the port forward does or why it exists.
- No XML-RPC Sync:
This option is only relevant if an HA Cluster configuration is in use, andshould be skipped otherwise. When using an HA cluster with configurationsynchronization, checking this box will prevent the rule from beingsynchronized to the other members of a cluster (seeHigh Availability). Typically all rules should synchronize,however. This option is only effective on master nodes, it does not preventa rule from being overwritten on slave nodes.
- NAT Reflection:
This topic is covered in more detail later in this chapter(NAT Reflection). This option allows reflection to be enabled ordisabled a per-rule basis to override the global default. The options in thisfield are explained in more detail in NAT Reflection.
- Filter Rule Association:
This final option is very important. A port forward entry only defines whichtraffic will be redirected, a firewall rule is required to pass any trafficthrough that redirection. By default, Add associated filter rule isselected. The available choices are:
- None:
If this is chosen, no firewall rule will be created.
- Add associated filter rule:
This option creates a firewall rule that is linked to this NAT port forwardrule. Changes made to the NAT rule are updated in the firewall ruleautomatically. If this option is chosen, after the rule is saved a link isplaced here which leads to the associated firewall rule.
This is the default behavior and the best choice for most use cases.
- Add unassociated filter rule:
This option creates a firewall rule that separate from this NAT portforward. Changes made to the NAT rule must be manually changed in thefirewall rule. This can be useful if other options or restrictions must beset on the firewall rule rather than the NAT rule.
- Pass:
This choice uses a special
pfkeyword on the NAT port forward rule thatcauses traffic to be passed through without the need of a firewall rule.Because no separate firewall rule exists, any traffic matching this rule isforwarded in to the target system.Note
Rules using Pass will only work on the interface containing the defaultgateway for the firewall, they do not work with Multi-WAN.
Adding Port Forwards¶
Port Forwards are managed at Firewall > NAT, on the Port Forward tab.The rules on this screen are managed in the same manner as firewall rules (seeIntroduction to the Firewall Rules screen).
To add a port forward entry:
Navigate to Firewall > NAT, Port Forward tab
Click
Add button to reach the Port Forward editingscreenEnter the options for the port forward as described inPort Forward Settings
Click Save
Click Apply Changes
Add button to reach the Port Forward editingscreenFigure Port Forward Example contains an example of the portforward editing screen filled in with the proper settings to forward HTTP (port80) inbound on WAN destined to the WAN IP address to the internal system at10.3.0.15.
After clicking Save, the port forward list is displayed again, and the newlycreated entry will be present in the list, as in FigurePort Forward List.
Double check the firewall rule, as seen under Firewall > Rules on the tabfor the interface upon which the port forward was created. The rule will showthat traffic is allowed into the internal IP address on the proper port, asshown in Figure Port Forward Firewall Rule.
The Source of the automatically generated rule should be restricted wherepossible. For things such as mail and web servers that typically need to bewidely accessible, this isn’t practical, but for remote management services suchas SSH, RDP and others, there are likely only a small number of hosts thatshould be able to connect using those protocols into a server from across theInternet. A much more secure practice is to create an alias of authorized hosts,and then change the source from any to the alias. Otherwise, the server iswide open to the entire Internet. Test the port forward first with theunrestricted source, and after verifying it works, restrict the source asdesired.
If everything looks right, the port forward will work when tested from outsidethe network. If something went wrong, see Troubleshooting NAT Port Forwardslater in this chapter.
Tracking Changes to Port Forwards¶
As mentioned in Figure Firewall Rule Time Stamps for firewallrules, a timestamp is added to a port forward entry when it is created or lastedited, to show which user created the rule, and the last person to edit therule. Firewall rules automatically created by associated NAT rules are alsomarked as such on the associated firewall rule’s creation timestamp.
Port Forward Limitations¶
A single port can only be forwarded to one internal host for each availablepublic IP address. For instance, if only one public IP address is available, oneinternal web server that uses TCP port 80 to serve web traffic can beconfigured. Any additional servers must use alternate ports such as 8080. Iffive available public IP addresses are configured as Virtual IP addresses, thenfive internal web servers using port 80 can be configured. SeeVirtual IP Addresses for more about Virtual IP addresses.
Tip
For services such as HTTP and HTTPS, port sharing may be possible by usingthe HAProxy package. If the requests can be distinguished in someway, such as by different request hostnames, a proxy can make more advanceddecisions about how to forward requests to internal hosts.
There is one uncommon but sometimes applicable exception to this rule. If aparticular port must be forwarded to a specific internal host only for certainsource IP addresses, and that same port can be forwarded to a different host forother source IP addresses, that is possible by specifying the source address inthe port forward entries, such as in FigurePort Forward Example with Different Sources.
In order for port forwards on WAN addresses to be accessible by using theirrespective WAN IP address from internal-facing interfaces, NAT reflection mustbe enabled, which is described in NAT Reflection. Always testport forwards from a system on a different Internet connection, and not frominside the network. Testing from a mobile device on 3G/4G is a quick and easyway to confirm external connectivity.
Service Self-Configuration With UPnP or NAT-PMP¶
Some programs support Universal Plug-and-Play (UPnP) or NAT Port MappingProtocol (NAT-PMP) to automatically configure NAT port forwards and firewallrules. Even more security concerns apply there, but in home use the benefitsoften outweigh any potential concerns. See for moreinformation on configuring and using UPnP and NAT-PMP.
Traffic Redirection with Port Forwards¶
Another use of port forwards is for transparently redirecting traffic from aninternal network. Port forwards specifying the LAN interface or anotherinternal interface will redirect traffic matching the forward to the specifieddestination. This is most commonly used for redirecting all outbound DNS to oneserver.
See also
Redirecting Client DNS Requests
 - Shopify)