Port-forwarding is typically used in scenarios where we have a single public IP address and several resources–in many cases on separate nodes–that must be made accessible to the internet. In such cases, it is useful to map traffic to different nodes based on the port on which the traffic entered the network–hence the term port-forwarding.

Port-forwarding is rarely seen in corporate networks (corporations are more likely to be able to afford separate IP addresses for different services), but are commonly seen in home and SOHO networks. Fortunately, pfSense is designed to work with a variety of networks and supports port-forwarding. However, we must take into account the following:

• Port-forwarding in pfSense is always applied before 1:1 NAT.
• Port-forwarding rules in pfSense are applied before firewall rules.
• Port-forwarding is always a 1:1 proposition. Thus, we can only map a port number to a single node. If we want to have multiple FTP servers, for example, we cannot have them on the same port.
• The creation of a port-forwarding entry does not in itself make the port accessible from the WAN side. pfSense blocks all traffic on all interfaces and all ports by default, and in order for traffic to pass, there must be a corresponding firewall rule. Fortunately, pfSense streamlines the process of creating a matching firewall rule.

Creating a port-forwarding entry is as easy as following these steps:

1. Navigate to Firewall | NAT. The Port Forwarding tab should be selected by default.
2. There will be a table on this page showing all the current port-forwarding entries. Click on one of the Add buttons below the table to add a rule.
3. The first option on the page is Disable, which allows you to disable a rule without deleting the rule. As with firewall rules, this is useful when troubleshooting.
4. The No RDR (NOT) checkbox, when checked, will cause Redirect target IP, Redirect target port, and Filter rule association to have no effect. This is a rarely-used option, but can come in handy if you want to exclude a subset of ports from a larger range of ports that is being redirected. It also might be useful if a proxy is running on the port.
5. The Interface drop-down box allows you to select the interface to which the rule applies. In most cases, we can leave this at its default value, which is WAN. This is because port-forwarding is mainly concerned with traffic originating on the internet.
6. The Protocol drop-down box allows you to select the protocol that the traffic must have for the port-forwarding rule to match.
7. Source and Source port range are hidden because, in most cases, we don't care about the source of the traffic, and, although we can change these values, usually we can leave them set to Any.

8. Most of the time, Destination can be left set to WAN address, since users on the public internet will be targeting your WAN address. This may be different if you have a multi-WAN setup, in which case you may want to change your destination to one of your other WAN interfaces. Destination port range is something you will have to set, however, since this is the port or range of ports you want to forward to one of your network’s private IP addresses.
9. The Redirect target IP edit box is where you enter the private IP address of the node to which you want to map the port or range of ports. This is usually identical to the port specified in the Destination port range, but it doesn’t have to be.
10. In the Description edit box, you can enter a brief non-parsed description.
11. The No XMLRPC Sync option, if enabled, results in the rule not being synced to other CARP members (note that this option does not apply to CARP slaves, who can still have their NAT rules overwritten by CARP master).

12. The NAT Reflection drop-down box allows you to select different NAT reflection options:
    • Use system default allows you to use the NAT reflection option chosen in System | Advanced under the NAT tab.
    • Enable (NAT + Proxy) sets up a proxy daemon which will receive/reflect connections, but it only works with TCP connections and only with ranges up to 500 ports.
    • Enable (Pure NAT) creates automatic rules to do redirection without a proxy daemon.
    • Disable disables NAT reflection.
13. The Filter rule association drop-down box allows you to choose what type of firewall rule is created to correspond to the port-forwarding rule:
    • Add associated filter rule causes pfSense to generate a firewall rule that is updated every time the NAT rule is updated.
    • Add unassociated firewall rule causes pfSense to generate a firewall rule corresponding to the NAT rule, but it is not updated automatically.
    • Pass does not create a new firewall rule, but it allows traffic that matches the NAT rule through the firewall. This might prove confusing if you ever have to troubleshoot firewall issues.
    • None causes pfSense to not create any firewall rule, explicit or implicit. Traffic matching the NAT rule will only get through if there is already a firewall rule allowing it to pass.

14. When you are done, you can click on the Save button and, when the page reloads, click on the Apply Changes button.