pfSense NAT WAN rule question

I’ve decided I don’t understand pfSense firewall rules like I thought I did.

I have a static wan IP address that I’ve got a 1:1 nat to an internal box. When I set up the firewall rules, I did this under the WAN tab for the wan IP and port I wanted to open. However, attempts to connect failed.

When I look at the logs, the firewall shows the request from the WAN interface directly to the NAT address. Is this common? It feels very strange to create a WAN rule to open up directly to an internal NAT address. I’ve tested this on a port, and it appears to work, but I don’t really understand why this is the case. Why wouldn’t the rule be to the WAN IP, since it’s how the traffic is coming into the firewall?

That has to do with the order that the rules are processed in in pfSense.

NAT rules are processed before firewall rules, so the destination addresses of any NATed traffic (1:1 or individual ports) coming in the WAN interface gets rewritten to the internal address and only then is the traffic matched against the firewall rules. Therefore you end up with local destination addresses on the WAN firewall page. It is perfectly normal behavior.


Ah, thanks. I had overlooked that detail (or just not understood it if I did see it). That should help me clean up several rules that I now realize are completely useless.

Thanks again!!