Return to

pfSense NAT/Port forward issue

Hey there.

I recently re-arranged my network at home to utilize multiple VLANs (the VLANs were there before, but I cleaned it up and re-configured the gateways a bit.

However, now a network that was only one hop from the internet is now two hops (pfSense firewall into Catalyst 3560G with inter-VLAN routing). As a consequence, none of my Port Forward rules for some internet facing servers are working.

Traffic flows fine otherwise and I can get to the internet from the two VLANs I expect to (15 and 192) but how to I “double hop” a port forward rule? Shouldn’t it just route it automatically if it has a known static route?

Pic below for reference.


Do VLAN routing on pfsense, use static routes if you need wirespeed through the switch.

You need to port-forward from your Catalyst to your pfSense, then from pfSense to your computer or VM. So it would be something like

  • Catalyst: public IP:8000 →
  • pfSense: → 10.140.15.XYZ:25565

You could use the TCP and UDP ports 25565 on both the Catalyst and pfSense, so it would look like:

  • Catalyst: public IP:25565 →
  • pfSense: → 10.140.15.XYZ:25565

The network between the Catalyst and pfSense is a DMZ and you probably should keep services exposed to the internet there and keep everything that is not exposed behind pfSense. And that way, you’d only have to port forward from Catalyst alone.

You have to create a static route in both directions. On the Cisco, you need the route of last resort going to your pfSense firewall, which it sounds like you do.
Something like

ip route

But you also need to tell your pfsense router how to get to those networks that it doesn’t know exist.

Here’s a screenshot of mine so you can see

Then your port forwards (and traffic flowing in that direction) should work fine.

The Cisco switch isn’t a NAT for firewall device. It’s just a router…so I’m not sure what you are suggesting here? NAT != Routing

1 Like

What do you mean the Catalyst does no NAT? If the diagram is correct, then the Catalyst has a public IPv4 IP address. Behind the catalyst, there is a private IPv4 network, so even if there is only 1 device on the subnet, Catalyst still does NAT from pfSense to the public Internet.

It seems I misunderstood the diagram (well, to my defense, the devices aren’t labeled). I thought the Catalyst was the internet facing device and pfSense was the one routing traffic between vLANs. And you could have deducted my mistake too if you have read my comment carefully, look at my double NAT rules, I said Catalyst had the public IP and the 99.254 IP and that pfSense had the 99.1 and the rest of the vLANs default gateway IPs.

Yeah, in this case, pfSense is the only one doing the NAT. So your solution is correct, Catalyst needs to have default route to pfSense and pfSense needs to have static routes to each subnet, going through the Catalyst. Or OP could use OSPF and learn something new, I guess this is a homelab (3560G is old, but it could still work wonders for a small business). While OSPF is not necessary in such a small network, it’s a good thing to learn.

D’oh thanks guys but I am also slightly an idiot here.

Up until re-doing the network, I was relying on NAT reflection to keep my paths consistent whether I was on my home network or away. Turns out that the port forwarding is working just fine, it’s the NAT reflection that isn’t because it cannot be routed.

I’ll probably wind up having to do split DNS.