alt Hacker News> Many home routers try to preserve the source port in external mappings. This is a property called “equal delta mapping” – it won’t work on all routers but for our algorithm we’re sacrificing coverage for simplicity.
It is precisely this point that has flummoxed me when connecting my p2p wireguard config[1] with a friend that uses a pfsense router, no matter what we tried, pfsense always chooses a random source port.
But in the simple case this blog outlines, if both ends use the same source port, this method punches through 2 firewalls effortlessly:
Replies
AI ANSWER: (lightly edited)
The Solution (Static Port)
To fix this without a permanent port forward, you must enable Static Port in pfSense's Outbound NAT. This doesn't open a hole to the world; it simply tells pfSense: "When this internal IP sends UDP traffic, do not rewrite the source port."
Navigate to Firewall > NAT > Outbound.
Switch to Hybrid Outbound NAT (if not already).
Add a rule at the top:
Interface: WAN
Protocol: UDP
Source: [Friend's WireGuard Internal IP/Port]
Destination: [Your Public IP]
Translation: Check Static Port.
Does your friend setting up port forwarding on their pfSense not help in your scenario?