Port forwarding with pfSense isn’t hard. If you’re new to networking, though, you may be wondering- what is port forwarding and why would I ever want to use it?
Note: If you’re not interested in the explanation of how port forwarding works, you can skip straight to the slideshow below for the example on port forwarding with pfSense.
What is NAT?
Before we get to that, let’s talk about IP addresses for a second. You probably already understand that there are public IP addresses (the internet) and private IP addresses (your home network). Private IP addresses, such 192.168.1.1, are part of a private network. Data from a private network cannot be routed to the internet. Wait a minute! How is that possible? My computer has a 192.168.x.x address and I can use the internet just fine!
That’s because your router also serves as a network address translator. This means it takes your private IP address and turns it into a public IP address that your Internet Service Provider (ISP), such as Comcast or AT&T, assigned you when you connected the router to their network. Your computer’s private IP address doesn’t show up on the internet, only your router’s public IP address.
This is how it works. When you access the internet, data is passed in packets. One of the things network address translation (NAT) does is it strips out the source IP address in each packet, removing your computer’s private IP address. It replaces the source IP address with your router’s public IP address.
NAT is needed because there aren’t enough IP addresses to go around, at least with the old IPv4 standard. IPv4 supports a maximum of (approximately) 4 billion IP addresses. Since there are more than 4 billion devices connected to the internet, this is a problem. NAT allows all of the devices in your home network to access the internet using a single public IP address. The newer standard is IPv6, and it’s currently being implemented across the internet. This increases the maximum number of addresses that can be assigned to 3.4 × 1038!
How do ports work?
We now know the basic process of how routers, including pfSense, handle IP addresses. But that’s only half the story- that gets information from the internet to your computer. How does an application know the incoming packets are intended for it and not another application on the same computer? This is where ports come in. Ports allow applications to listen for incoming data. Ports range from 0 – 65535. When talking about IP addresses and port numbers, the written convention is ipAddress:portNumber (e.g. 192.168.1.1:80).
Many internet protocols have designated ports. This lets different systems communicate using a universal standard. These are called well-known ports (you can read more about them here ). They are ports 0 to 1023. When you decide to forward a port, choose a port (or range of ports) outside of this range.
For instance, your browser is using HTTP to interact with this site. HTTP uses port 80. Your browser sends information out on port 80, because this is the port a web server listens on. The web server hosting this site is listening on port 80. Your browser is listening on a port that was randomly chosen by your computer, such as 49783.
Let’s look at this process:
- Your computer wants to access a web server at IP address 18.104.22.168. The computer’s IP address is 192.168.1.1 and it’s using random port 49783.
- The computer tells the router it needs to open a connection to 22.214.171.124:80 by sending it a packet.
- The router receives the packet on the local area network (LAN) interface. It rewrites the packet to remove your private IP address and replace it with its public IP address (say 126.96.36.199). The router also removes the source port and gives it a new one (say 34244).
- The router then sends the rewritten packet out to the web server’s address 188.8.131.52:80 on the wide area network (WAN) interface.
- The web server receives a request from 184.108.40.206:34244. It sends the reply back to that address.
- The router receives the response on the WAN interface, then looks up the information for your computer that it has stored in a table. It sees 192.168.1.1:49783 made the request. So that’s where it sends the response on the LAN interface.
- If everything went smooth, the connection between the computer and the web server is now established.
As far as port forwarding with pfSense goes, there are two important things to take out of this: 1) Outgoing (source) ports are randomly assigned to the router’s WAN interface so you don’t need to worry about these, and 2) the router needs to know the computer’s LAN address and the service’s port number (destination port) to deliver the data.
You just saw how ports work when a computer on the LAN initiates a request to the internet. So what happens if you want to initiate a connection from the internet? This is where port forwarding comes into play.
Port forwarding with pfSense
Port forwarding is a way for you to pass data through your router from the internet so that it can access a service or application on your private network. You need to tell your router where the data needs to go using an IP address and port assignment.
Common uses including forwarding ports for video games, remote desktop sessions, and accessing an FTP server.
In the example, I’m going to be forwarding a port so I can remotely access my iTunes server:
Slideshow- Tap or click to view
So now you know all there is to know about port forwarding with pfSense. The concept is no different than a consumer-grade router. pfSense has a lot more options than you’ll find in typical routers, which can make it seem more difficult than it really is.
- Read more about how to install pfSense
- Read more about setting up NxFilter
- Read more about how to fix pfSense DNS rebinding warning