It should be noted that NAT port forwarding rules and firewall rules are two separate entities. NAT port forwarding forwards traffic, while firewall rules allow or deny traffic. Just because a port forwarding rule exists to forward traffic does not mean that the firewall rule will allow the traffic. If we want to allow traffic, we must create a corresponding firewall rule. Fortunately, pfSense makes life easier for us with the Filter rule association drop-down menu in NAT port forwarding. The default setting for this parameter is Add associated filter rule. Invoking this option does two things:

• It will automatically create a firewall rule to allow the traffic (in our case, it will create a WAN interface rule allowing traffic to pass on port 22).
• Because it is an associated filter rule, if we edit the port forwarding rule, pfSense will automatically update the corresponding firewall rule. For example, if we change the destination port range to a different port, pfSense will automatically update the rule to apply to that port.

The other options for filter rule association are as follows:

• Add unassociated filter rule: pfSense will create a corresponding firewall rule, but the rule will not be updated if and when you make changes to the port forwarding rule.
• Pass: pfSense will pass traffic that matches the port forwarding rule through the firewall rule without creating a corresponding firewall rule. (Thus, we could say pfSense creates an implicit firewall rule.)
• None: pfSense will not create a corresponding firewall rule, explicit or implicit.

NAT rules can be configured using a variety of options. Here are some of the more commonly used options:

• Disabled: You can enable or disable a NAT port forwarding rule with this option.

• No RDR (NOT): Enabling this option will disable traffic redirection for this rule. This option can come in handy if you create a port forwarding rule that covers a range of ports, but need to disable port forwarding for a subset of this range. For example, assume we create a NAT port forwarding rule for Direct Client-to-Client (DCC), a subprotocol for file transfers commonly associated with Internet Relay Chat, or IRC). The rule enables port forwarding on ports 5000 to 5010. For some reason, we want to disable port forwarding on ports 5003 through 5005. By creating a port forwarding rule covering these ports, enabling the No RDR option, and placing it ahead of the original port forwarding rule, we can disable port forwarding on ports 5003-5005.
• Interface: Allows you to specify the interface for the NAT rule (usually WAN).
• Protocol: Specifies the protocol for the NAT rule. Usually, this is set to TCP (the default), or TCP/UDP, but there are many other options. For example, if you want to create a port forwarding rule for ping traffic, you could set this option to ICMP. Any is also an option.
• Source: Typically, the source is set to the default value of any (as with firewall rules, we generally do not care about the source of the traffic). You can, however, specify the source of the traffic here.
• Source Port Range: This is also set to any by default, but you can specify your own port range here.
• Destination: Most often, destination is set to the WAN address, but you can set it to another address here.
• Destination Port Range: This is the port the traffic will be requesting. If we are, for example, creating a port forwarding rule for a web server, we would select HTTP, or just type 80. If we are creating a rule for a custom port, an alias can help clarify the purpose of the rule.
• Redirect Target IP: This is the IP address of the internal node to which traffic will be forwarded.
• Redirect Target Port: This is the port on the internal node to which traffic will be forwarded
• Description: You can enter a brief description here; it will be copied into any associated firewall rules.
• NAT reflection: Enabling NAT reflection allows you to use the rule’s external IP address (usually the WAN address) on internal networks.
• Filter Rule Association: Enables the creation of a corresponding firewall rule.