pfSense NAT Port Forwards No Longer Working

Kahnares · October 19, 2025, 11:31pm

TLDR: pfSense NAT Port Forwards don’t allow multiple interfaces to bind to the same NAT IP and Port. Any workarounds or alternatives?

Howdy, Folks,

I’m hoping someone can shed some light on a problem I’m running into with the latest and greatest pfSense 2.8.1 release. Specifically, NAT Port Forwards.

I’ve been running pfSense on bare metal for a few years. Multiple VLANs, single gateway, nothing too fancy or extreme. Recently, I moved pfSense to a VM in a Proxmox setup. Similar configuration as bare metal and it worked great. Then, since it wasn’t broken I decided to fix it anyway. I found this little guide and it looked interesting…

pfSense Baseline Guide with VPN, Guest & VLAN support

Now, the issue and some background. Please bear with me…

I’ve followed the guide almost word-for-word, with some minor changes (VLANs, IP ranges, VPN Provider) and it worked. Sort of. VLANs would route, then they wouldn’t. I could ping by IP but not by hostname. Then I couldn’t ping by IP either. Then everything would work again. It wasn’t always consistent and it wasn’t always the same VLAN. The issue seems to affect random VLANs at random times. One might stop working, then suddenly work again but another one would stop. Then suddenly all VLANs worked flawlessly. Then it started all over again. No errors, nothing strange in the logs, nothing useful to really go on.

Troubleshooting…did this, did that, tried something else, swore a lot. Finally decided I must have made a typo somewhere I couldn’t find and set about rewriting the NAT and firewall rules from scratch. Then it got interesting…

While rewriting the NAT Port Forward rules, I got a “destination port range overlaps with an existing entry” error while saving a rule. Which, of course, it does because the guide above uses NAT Port Forwards to redirect DNS requests to pfSense DNS at 127.0.0.1 on port 53. Even though the error message is clear, it took me awhile to wrap my head around it. Even the good folks here at Lawrence Systems have a video showing pretty much the same thing. The one thing I noticed is that both of these examples are running older (2.5x?) versions of pfSense and the current 2.8x version (maybe 2.7x too? Not sure) no longer supports this. You cannot have the same NAT IP and port for multiple NAT Port Forwards. Even if the interface and network is different.

So, after all of that, my question comes down to this: since you can no longer use NAT Port Forwards this way, what are people doing instead? Multiple guides walk through doing this, so I would guess it was a pretty common thing to do. Must be a lot of folks out there that got bitten by this, so I’m hoping someone has a suggestion or ten.

Many thanks for your patience during my long-winded rant and many more thanks if you have a fix, workaround or suggestion. I now return you to your regularly scheduled programming…

KA

LTS_Tom · October 20, 2025, 11:28am

I think starting around pfSense 2.7.x the NAT engine was updated to prevent duplicate destination IP/port combinations in port forwards, even if they’re scoped to different interfaces.

There might be a work around using I would have to do some testing, in the mean time check their forums as someone else may have a fix.

Kahnares · October 20, 2025, 5:08pm

Thanks for the response. Here’s hoping you can figure something out. I haven’t had much luck.

I tried rewriting the NAT rules to use the interface gateway (192.168.x.1) on port 53 instead of 127.0.0.1 but I kinda figured it wasn’t going to be that easy. And it wasn’t. That got rid of the port conflict error but still no joy. So, I’m missing something somewhere but I’m close…I think.

I’ve been checking the Netgate forums and there are some similar issues, but nothing quite the same. I’ll try posting there too and see if someone can throw me a bone.

Thanks again for looking into it.

KA

xMAXIMUSx · October 20, 2025, 10:52pm

I’m having a hard time understanding the use case for this. Why are you trying to bind to 2 different public IP addresses to the same destination IP and port?

Kahnares · October 20, 2025, 11:22pm

Fair point. This is a home lab, after all. I’m actually trying to bind internal interfaces. The goal is to keep DNS in-house, so-to-speak, and only go upstream for destinations that can’t be resolved internally and then only to DNS servers that I choose. I have multiple VLANs for different purposes; have for years. Mind you, without this level of complexity. After stumbling on the guide I linked in my first post, I figured I’d step outside my comfort zone a little. My networking skills are…well, they’re okay but there’s no risk of ever becoming a network admin. This is pretty advanced stuff for me. Still, I like to learn and play around with things so this seemed like an interesting idea with some potential for securing the homestead.

Kahnares · October 21, 2025, 4:46pm

Good afternoon, folks….

Quick question for those who might be in the know. I’m at work, so I can’t test anything until this evening, so maybe someone can answer this question in the meantime.

Since my issue is a conflict with the Redirect IP and Port (127.0.0.1:53) on multiple interfaces, can I simply change the loopback IP? Does anyone know if pfSense supports the full 127.0.0.0/8 address space for loopback? And if it does, would this work around the issue with the NAT Port Forwards (assuming Unbound is configured to listen on “localhost”).

Thanks, KA

ITspec · October 22, 2025, 4:06am

I may be confused also, but this sounds more like split dns than NAT Port Forward. Just from what I can gather from your writing and some of the responses.