1. OCAU Merchandise is available! Check out our 20th Anniversary Mugs, Classic Logo Shirts and much more! Discussion in this thread.
    Dismiss Notice

pfsense and port forwarding help

Discussion in 'Networking, Telephony & Internet' started by Symon, Feb 16, 2025.

  1. Symon

    Symon Castigat ridendo mores

    Joined:
    Apr 17, 2002
    Messages:
    5,209
    Location:
    Brisbane QLD
    I know this should be super simple thing to do but I've spent all morning on this and it's driving me nuts.

    I've got a pfsense router with three networks - LAN, IOT and DMZ. DMZ has FW rules to fully open it up to WAN. On the DMZ network I have a web server set up on 192.168.0.50 and I'm trying to make this accessible to the internet. I also have a static IP set up with my ISP.

    I've set up port forwarding but no joy. I can access the address internally but I can't even ping the external IP (I'm using my phone to test external access).

    It's as though there is another setting somewhere that I'm overlooking. Any ideas?

    upload_2025-2-16_9-32-13.png
     
  2. miicah

    miicah Member

    Joined:
    Jun 3, 2010
    Messages:
    8,330
    Location:
    Mount Cotton, QLD
    What ISP are you with? Have you disabled CG-NAT (if possible)?

    You shouldn't need port forwarding if the sever is in your DMZ?
     
  3. OP
    OP
    Symon

    Symon Castigat ridendo mores

    Joined:
    Apr 17, 2002
    Messages:
    5,209
    Location:
    Brisbane QLD
    Thanks for your reply, I'm with ABB and it looks like CGNAT is the problem. When I got the static IP from them they disable CGNAT but will still block ports 80 and 443, you need to contact them directly to have those unblocked.

    I've just done that, so will see if will work in an hour or so.
     
  4. kesawi

    kesawi Member

    Joined:
    Jul 3, 2012
    Messages:
    2,578
    Location:
    Brisbane
    That's not how pfSense works. Unlike some consumer routers, there is no such thing as a preconfigured DMZ network in pfSense and you need to manually configure the port forwards and firewall rules required.

    Why are you specifying a gateway group in your WAN firewall rules? I can see you have multiple gateways but specifying the gateway in the WAN rules is unnecessary as pfSense knows what the gateway for the WAN network interface is. It's not like one of the internal LAN interfaces where you may want to create a firewall rule that redirects outbound traffic through a specific gateway. Here's an example WAN port forward rule which I use for my Plex server (note I'm using IP aliases instead of IP addresses and also restricting it to certain external IPs corresponding to the IP alias plex_workers).
    upload_2025-2-16_12-5-38.png

    If you use the option to create and associated filter rule then it will automatically create the corresponding WAN firewall rule. This is mine below:
    upload_2025-2-16_12-9-6.png

    These are how the rules look in the NAT port forward and WAN firewall rules
    upload_2025-2-16_12-10-41.png

    upload_2025-2-16_12-11-14.png

    You won't be able to as you don't have a WAN rule to permit incoming ping requests to the WAN address so pfSense will drop them by default. You need to add one (example below with IPv4+IPv6 as I have IPv6 enabled)
    upload_2025-2-16_12-13-9.png

    That will help, but you may still need to make the changes above.
     
    Last edited: Feb 16, 2025
    AgB deano, miicah and Symon like this.
  5. OP
    OP
    Symon

    Symon Castigat ridendo mores

    Joined:
    Apr 17, 2002
    Messages:
    5,209
    Location:
    Brisbane QLD
    Ah ha! This was also the problem, I thought since I had VPN's I should specify the gateway, as I didn't want this going through the VPN. I put the gateway setting back on default and it's all working now.

    Awesome stuff, thanks for your help, I was going nuts!
     
    kesawi likes this.
  6. kesawi

    kesawi Member

    Joined:
    Jul 3, 2012
    Messages:
    2,578
    Location:
    Brisbane
    With pFsense try to keep the rules simple and only add things in that are required.
     
    Symon likes this.

Share This Page

Advertisement: