pfSense – P6 pfSense NAT Rule Configuration – Open Port to LAN Server

Understanding pfSense NAT Rule configuration is critical when you need to publish internal services to the Internet or control how traffic leaves your network.

In this guide, you will learn:

• Port Forwarding (Destination NAT)

• 1:1 NAT

• Outbound NAT (Source NAT)

• NPT for IPv6

Each section includes clear examples and real-world use cases.

🔹 1. NAT Overview

Network Address Translation (NAT) allows private IP addresses to communicate with public networks. In pfSense, NAT plays a central role in both inbound and outbound traffic control.

There are multiple NAT types, each serving different purposes.

🔹 1.1. Port Forwarding (Destination NAT)

Port Forwarding opens a specific port from the Internet to an internal server.

Example:

Public WAN IP:
115.73.17.111

Internal Server:
192.168.16.175 (Proxy server)

Configuration:

WAN port 443 → 192.168.16.175:443

Flow:

Internet → WAN IP → pfSense → Internal Server

This is the most common pfSense NAT Rule used in small and medium networks.

📌 When to Use Port Forwarding?

• Web server
• Mail server
• VPN server
• Camera
• Remote Desktop

If you need to expose a specific service to the Internet, Destination NAT is the correct method.

🔹 1.2. 1:1 NAT

👉 Map an entire public IP to a private IP.

For example, you have 5 public IPs:

113.161.10.50 – 113.161.10.54

You want:

113.161.10.51 ↔ 192.168.16.10

This means:

All traffic to that public IP will go directly to the server.

Unlike Port Forwarding, you do not map individual ports. Instead, you map the entire public IP address to one internal host.

🔧 Configuration Steps

Step 1: Create NAT Rule
Step 2: Create Firewall Rule (WAN)

Both steps are required. NAT handles translation, but firewall rules control permission.

📌 When to Use 1:1 NAT?

• Businesses with many public IPs
• Want a server with its own public IP
• Don’t want to configure each port individually

1:1 NAT simplifies large deployments where servers require full public exposure.

🔹 1.3. Outbound NAT (Source NAT)

👉 NAT for the LAN to the Internet.

This is the default NAT that provides Internet access.

Flow:

192.168.16.100 → pfSense → change to 113.161.10.50 → Internet

Here, pfSense translates the private IP into the WAN public IP before sending traffic out.

Without this pfSense NAT Rule, internal devices cannot access the Internet.

🔹 Outbound NAT Modes

There are 4 modes:

Automatic
pfSense automatically creates rules → 90% use this.

Hybrid
Automatic plus you can add your own rules.

Manual
You configure everything yourself.

Disable Outbound NAT
pfSense will NOT perform Source NAT for outbound traffic.

Choosing the correct mode depends on network complexity.

📌 When Should You Adjust Outbound NAT?

• Multiple WANs
• Site-to-site VPN
• Don’t want to NAT a specific subnet
• Want a VLAN to output using a different public IP

Advanced network designs often require manual or hybrid outbound NAT configuration.

🔹 1.4. NPT (Network Prefix Translation)

👉 Used for IPv6.

IPv6 does not require NAT like IPv4.

However, if your ISP changes the prefix, you can use NPT to:

• Map internal prefix ↔ ISP prefix

This keeps your internal IPv6 structure stable even if the provider modifies the external prefix.

NPT is rarely used in basic lab environments but may appear in enterprise IPv6 deployments.

🔎 Understanding Traffic Flow with pfSense NAT Rule

To properly configure NAT, always remember:

• NAT handles address translation

• Firewall rules handle permission

• Both must be configured correctly

For example:

Port Forwarding without a corresponding WAN firewall rule will not work.
1:1 NAT without firewall permission will also fail.

Proper alignment between NAT and firewall is essential.

🚀 Best Practices for pfSense NAT Rule Configuration

When working with NAT:

• Clearly document public-to-private mappings

• Avoid unnecessary open ports

• Use specific port mappings instead of wide exposure when possible

• Regularly review firewall rules on WAN

• Test connectivity after each change

Security should always come before convenience.

🏁 Conclusion

Mastering pfSense NAT Rule configuration allows you to:

• Publish internal services securely

• Assign dedicated public IPs

• Control outbound traffic behavior

• Prepare for IPv6 deployment

Understanding the differences between:

• Port Forwarding

• 1:1 NAT

• Outbound NAT

• NPT

is fundamental for professional firewall management.

This completes Part 6 of the pfSense series and prepares you for advanced topics such as advanced routing, policy-based routing, VPN integration, and multi-WAN design.