pfSense not routing traffic to internal web servers

So i just switched from IPFire to pfSense, mostly because IPFire's documentation is sub-par and pfSense's seemed to be pretty great. So i got pfSense up and running, reserved the static IPs i needed to and all that, and made sure i can reach the internet.

Now i'm having this problem that was NEVER a problem with IPFire. I'm trying to create a firewall rule that will pass all WAN traffic destined for port 443 to a specific IP address on my LAN. I've been banging my head against this wall for 3 hours now and i'm no closer. pfSense seems to just not want to let me access my Owncloud server from the outside no matter what i do. I've set up a host override through the DNS resolver so i can access the server via hostname from inside my own LAN (because setting up NAT reflection proved to be stupidly complicated) but i still can't get the damn thing to allow access from outside.

I'm at the point where i'm going to rip the thing out and go back to IPFire because this problem took 3 minutes to resolve.

pfSense will do it. I can't remember what the setup is at the moment and I'm not at home so I can't look at my configuration. I know there are other people more knowledge than me on the forum though. I've forwarded ports for owncloud, subsonic, and mumble through pfSense so I know it works. I don't use owncloud anymore but the setup should be the same.

First a few checks:
- Is your firewall setup correctly? (Rule from any on any port to internal server ip on port 443 in the WAN link page of rules?
- Is your NAT setup with the any host any port and destination to WAN IP port 443 and redirect to internal server ip port 443?
- Do you have any other services forwarded trough NAT and do they work?

I have an problem with PFsense that the WAN ip with port isn't accessable from the inside network, but is accessable from the outsite (maybe check via or some sort of proxy service). So I have an managed DNS server in my network that I have changed the ip adresses for certain DNS names in my domain to my internal server ip.

  1. Apparently it is not set up correctly because it is not working, and nowhere that i can find in the documentation does it tell you how to set up a firewall rule that accepts traffic inbound on port 443 and directs it to a specific LAN IP.

  2. I have a redirect rule setup for NAT to accept any WAN IP and any WAN port to redirect to HTTPS to my owncloud server IP. I still receive "connection refused" when attempting to browse to it.

  3. No, this is the first service i'm trying to set up and it's proving to be way too much of a hassle.

Do you have both a NAT rule and a firewall rule on the WAN interface. It should be as simple as creating a NAT rule for you wan address to the internal server and checking the box that links it to a firewall rule, then it will create the firewall rule automatically.

Also if you have any block rules on you wan (other than the default which is invisible) then make sure the allow rule is above it.

1 Like

Okay so just to be clear. Go to firewall>nat>port forwards and click add. Select wan as the interface, choose a protocol (for https choose tcp), choose wan address as the destination address and use 443 as the destination port. Then use your Web servers address as the target address and whatever port it uses (probably 443) for the target port.

For Nat reflection if you set it to nat + proxy (if you haven't got it set up by default) and choose make an associated firewall full in the next box. That should be all you have to do. Make sure you apply the changes after and maybe try resetting the state table as well to flush out any old firewall states.


The way i got it working on the newest verion of PFsense with the redesign is to set the source to any and destination in the NAT rule to WAN adress. Then set the redirect parameter to the ip of the server and port. And also check the checkbox that creates the firewall rule for you.

You can if you enable nat reflection, but it's better to test with an external connection anyway.

Like I said before, by default you cant check your external ip, but you can use an proxy service like for testing purposes. Or enable NAT Reflection like @Dexter_Kane said.

I have cleared out all existing firewall rules and NAT rules. Disabled blocking of reserved IPs and bogon IPs on the WAN interface. Created a new NAT rule: Interface: WAN, Protocol: TCP, Source: any, Source port: any, Destination: WAN address, Destination port: HTTPS, Redirect target IP: (server IP), Redirect Target port: HTTPS, NAT Reflection: system default, Filter Rule Association: Create new corresponding filter rule.

Saved, made sure the corresponding firewall rule was made, and attempted to navigate to my owncloud server (i am and have been using an external IP for testing). Still get a "connection refused" error. I'm 2 inches from fuck-it and putting IPFire back in.

Also, my apologies if i have come across to anyone as angry at them or just generally shitty. I've just been banging my head against this (fire)wall for 2 days now and am frustrated. I appreciate all your help.

That tripped me up the first time I set up my pfsense box.

I woudn't recommend clearing out your rules. There are some that are needed for normal opperation. If your whant to press on with PFsense you can setup an simple apache or lamp server on your main machine and recreate the rules to see if your server is not configured incorrectly.

On more question, is the NAT firewall rule your created ontop of the list or on the bottom. You can try moving it to the top of the list.

Also an way to get is working is to start redirecting all the nat ports to your server and allow everything in your firewall (temporairly) to troubleshoot the problem and lock it down from there. Watch out do, dont let the allow everything rule on for to long!

You're certain you clicked apply changes after making the rule? And have you tried resetting the state table?

That rule sounds like it should work, I assume that if you had it working before on ip fire then it's not an ISP issue or a double NAT issue. I'm not really sure what it could be.

Have you changed any other settings on pfsense? Such as in the advanced system settings or the outbound Nat settings?

It may be helpful if you posted screen shots of you lan wan and Port forward rules screens.

You could also try going to the wan rule and checking the box to enable logging (remember to turn this off later) then try to access the server and after that go to the firewall log (under status>system logs) and see if you see anything. If you know the ip of the device you're using you can filter with that as the source address.

If you see blocked traffic from that address then there's a problem with the firewall rules. If you see allowed traffic then it's probably a problem with the server and if you don't see anything then it's something outside your network such as a problem with your ISP or DDNS server or the wrong public IP or something like that.

1 Like