---
title: OPNsense Port Forwarding
description: Detailed guide for enabling ports using Aliases and NAT Reflection in OPNsense
author: wompmacho
date: '2026-04-05T15:30:00-04:00'
lastmod: '2026-04-05'
tags: ['opnsense', 'networking', 'firewall', 'port-forwarding', 'pterodactyl']
---

## Overview

This guide covers the "Pro" method for managing port forwarding in OPNsense using **Aliases**. This approach simplifies management by grouping ports together, ensuring that firewall rules and NAT entries stay synchronized automatically.

---

## 1. Create a Port Alias

Instead of creating individual rules for every port, we group them into an Alias.

1. Navigate to **Firewall → Aliases**.
2. Click the **+** (plus icon) to add a new alias.
3. **Name:** e.g., `Pterodactyl_Ports`.
4. **Type:** Select **Port(s)**.
5. **Content:** Enter your required ports (e.g., `7777`, `27015`). You can also enter ranges like `7778:7780`.
6. Click **Save** and then **Apply**.

---

## 2. Configure Destination NAT (Port Forward)

The NAT rule tells the firewall where to redirect incoming external traffic.

1. Navigate to **Firewall → NAT → Port Forward**.
2. Click **Add** to create a new rule.
3. **Interface:** `WAN`.
4. **TCP/IP Version:** `IPv4`.
5. **Protocol:** `TCP/UDP` (common for game servers like Unreal Engine/Steam).
6. **Destination:** `WAN address`.
7. **Destination port range:** Select your alias (e.g., `Pterodactyl_Ports`) for both the "from" and "to" boxes.
8. **Redirect target IP:** The internal IP of your server (e.g., `10.0.0.110`).
9. **Redirect target port:** Select the same alias (`Pterodactyl_Ports`). This ensures a 1:1 mapping for all ports in the group.
10. **Firewall rule:** Select **`register rule`**. This is critical as it automatically creates and manages the corresponding WAN firewall permission.
11. Click **Save**.

---

## 3. Enable NAT Reflection (Hairpin NAT)

To access your server using the external IP or domain while *inside* your local network, you must enable NAT Reflection.

### Global Configuration
1. Navigate to **Firewall → Settings → Advanced**.
2. Under **Network Address Translation**:
   * Check **Reflection for port forwards**.
   * Check **Reflection for 1:1**.
   * Check **Automatic outbound NAT for Reflection**.
3. Click **Save**.

### Per-Rule Overrides (Optional)
If the global setting is not desired, you can enable it on the specific NAT rule:
1. Edit your NAT rule in **Firewall → NAT → Port Forward**.
2. Scroll to **NAT reflection** and select **Enable**.
3. Click **Save**.

---

## 4. Static Port (Outbound NAT)

Many game servers (especially those using Steam Query) require "Static Port" to be enabled so that their source port isn't randomized by the firewall.

1. Navigate to **Firewall → NAT → Outbound**.
2. Select **Hybrid outbound NAT rule generation** and click **Save**.
3. Click **Add** to create a manual rule at the top.
4. **Interface:** `WAN`.
5. **Source address:** Your server's internal IP (e.g., `10.0.0.110/32`).
6. **Static Port:** Check **YES**.
7. Click **Save** and **Apply Changes**.

---

## Summary of Settings

| Setting                       | Value                        |
| :---------------------------- | :--------------------------- |
| **Alias Type**                | Port(s)                      |
| **Firewall Rule Association** | `register rule`              |
| **NAT Reflection**            | Enabled (Global or Per-Rule) |
| **Outbound NAT**              | Static Port: YES             |