Port forwarding is probably the most commonly used form of NAT. It is commonly used when we have a single public IP address and several resources that must be made accessible to the internet. As a result, instead of assigning a single public IP address to every resource, instead we use one public IP address and assign a separate port to each resource.

Port forwarding is rarely used in corporate networks; in fact, higher-end routers do not have easily configurable ways of setting up port forwarding. Fortunately, however, pfSense is designed to be used on a variety of different networks. Port forwarding is usually a feature found on consumer grade routers, and the inclusion of port forwarding in pfSense is an acknowledgement that pfSense will often be deployed in home and SOHO networks.

Before we get started with port forwarding, we should mention the following:

• Port forwarding is applied before 1:1 NAT. Therefore, port forwarding can interfere with any 1:1 NAT mappings we may have.
• Port forwarding rules are applied before firewall rules.
• We can only map a port number to a single node. For example, we cannot SSH into multiple SSH servers via port 22. We can, however, set up separate SSH servers on separate ports, even if it means using non-standard ports: for example, we could set up one SSH server on port 6000, another on port 6001, and so on. In any case, it may behoove you to always use non-standard ports even when the standard port for a service is available, since it then be more difficult for hackers to identify what services are running on your network.

When we add a port forwarding entry, the mere creation of a port forwarding rule does not necessarily make that port accessible from the WAN side. Keep in mind that pfSense will block all traffic on all interfaces and all ports by default. Fortunately, pfSense makes the process of setting up a corresponding firewall rule easy.

To configure inbound NAT settings, the following are the steps:

1. Navigate to Firewall | NAT and click on the Port Forwarding tab.
2. From this tab, click on one of the Add buttons to add a new rule. The first option is Disable, which allows you to disable a rule without deleting it. When No RDR (NOT) is enabled, Redirect target IP, Redirect target port, and Filter rule association have no effect. This option is rarely used, but may be useful if you have a transparent proxy running. It could also be used if you want to exclude a subset of ports from a larger range of ports.
3. The Interface drop-down box allows you to select the interface the rule applies to (in most cases, you want to leave this as WAN, since with inbound NAT, we are concerned with traffic originating on the internet).
4. The Protocol drop-down box allows you to select which protocol to which the NAT rule applies.
5. The Source and Source port range options are hidden, you have to click on the Display Advanced button on that section of the page to make them appear. This is because although we can change these settings, usually we don't care about the source of the incoming traffic - as a result, most of the time you will probably want to leave these set at the default values of Any.

6. For Destination, you probably want to leave this set to WAN address, since users on the internet will be targeting your WAN address, not one of your private network IP addresses. If you have a multi WAN setup, you may want to change the destination to one of your other WAN interfaces. Destination port range is the port, or range of ports, you want to forward to one of your private IP addresses.
7. In the Redirect target IP edit box, you enter the internal IP address of the node to which you want to map the port or range of ports. The Redirect target port option specifies the port to which you want to map the port specified in the Destination port range. This is usually identical to the port specified in the Destination port range, but you can specify a different port or ports here. This can be useful in some circumstances.

For example, you may want to set up a private web server which is accessible from the internet on your home internet connection. However, most ISPs block port 80 (the default HTTP port) and port 443 (HTTPS). Using Port Redirection, you can choose a port other than ports 80 and 443 for Destination (for example, 1234) and redirect traffic coming in on that port to your web server (which likely would be accepting traffic on port 80).

8. In the Description edit box, you can enter a non-parsed description for future reference.
9. The No XMLRPC Sync checkbox, if checked, will result in this rule not being synced to other CARP members (this does not apply to CARP slaves, which can still have their NAT rules overwritten by a CARP master).
10. The NAT Reflection drop-down box allows you to access the service to which port forwarding is enabled using the public IP address of your network.
11. The Use system default option allows you to use whatever NAT reflection option was chosen in System | Advanced under the NAT tab.
12. The Enable (NAT + Proxy) option will set up a proxy daemon which will receive and reflect connections, but it will only work with TCP connections, and only with single port forwards, or with ranges of less than 500 ports. Enable (Pure NAT) just creates automatic NAT redirect rules to accomplish redirection without using an external daemon.
13. Finally, Disable will disable NAT reflection.
14. The Filter rule association drop-down box allows you to select what type of firewall rule is created corresponding to the NAT rule.

15. Add associated filter rule generates a new firewall rule that is updated whenever the NAT rule is updated. Add unassociated filter rule generates a new firewall rule that is not automatically updated when changes are made to the port forwarding entry; thus there is a corresponding firewall rule, but it is not attached to the port forwarding entry.
16. Pass will pass traffic that matches the NAT rule through the firewall, but does not create a new firewall rule for it. Thus, it essentially creates an implicit pass rule. This will allow the traffic to pass through the firewall, but if you have to do any troubleshooting, it won't be easy to match the traffic.
17. Finally, if the None option is selected, no firewall rule is created and, unless an existing firewall rule allows the traffic from this NAT rule to pass, the traffic will not pass.
18. When you are done making changes, you can click on the Save button at the bottom of the page and then click on the Apply Changes button on the main Port Forwarding page.