Documentation
pfSense Documentation - Configuration and Administration Guides
pfSense NAT - Network Address Translation and Forwarding

pfSense NAT - Network Address Translation and Forwarding

NAT (Network Address Translation) in pfSense handles address translation between internal and external networks. pfSense implements NAT through pf (packet filter) inherited from OpenBSD and supports three primary translation mechanisms: port forwarding, one-to-one NAT (1:1 NAT), and outbound NAT. Each mechanism addresses a distinct use case and operates at a specific stage of packet processing.

NAT Processing Order

pfSense evaluates translation rules in a strictly defined sequence. Understanding this order is essential for correct configuration and troubleshooting.

  1. Port Forwards - processed first. Incoming packets are checked against port forward rules, and on a match, the destination address is rewritten to the internal IP of the target host. Port forward rules take precedence over 1:1 NAT.
  2. 1:1 NAT - processed second. If no port forward rule matched, the 1:1 NAT table is consulted. On a match, the destination address is translated according to the bijective mapping between the external and internal address.
  3. Outbound NAT - processed on egress. The source address is replaced with the address of the outgoing interface (or a designated address from a NAT pool).

Warning:

Port forward rules intercept inbound traffic before 1:1 NAT processing. If both a port forward and a 1:1 NAT entry exist for the same external address, the port forward takes priority for matched ports. Remaining traffic is handled by 1:1 NAT.

Default Behavior

After installation, pfSense automatically configures outbound NAT for all internal interfaces: traffic destined for the internet is translated to the WAN interface address. Inbound traffic from the internet is blocked entirely by default - granting access to internal services requires an explicit port forward or 1:1 NAT rule.

In This Section

  • Port Forwarding - redirecting inbound traffic to internal servers, firewall rule association, NAT reflection, and advanced scenarios
  • 1:1 NAT - bijective translation of an external address to an internal address, use cases for servers with dedicated public IPs
  • Outbound NAT - controlling source address translation for egress traffic, manual and hybrid modes, static port for VPN

Related Sections

  • pfSense Firewall - filtering rules, aliases, and security policy management
  • Firewall Rules - rule creation, processing order, floating rules
  • pfSense VPN - VPN tunnel configuration requiring correct NAT settings
Last updated on