alt Hacker News> Many home routers try to preserve the source port in external mappings. This is a property called “equal delta mapping” – it won’t work on all routers but for our algorithm we’re sacrificing coverage for simplicity.
It is precisely this point that has flummoxed me when connecting my p2p wireguard config[1] with a friend that uses a pfsense router, no matter what we tried, pfsense always chooses a random source port.
But in the simple case this blog outlines, if both ends use the same source port, this method punches through 2 firewalls effortlessly:
Replies
Does your friend setting up port forwarding on their pfSense not help in your scenario?
AI ANSWER: (lightly edited)
The Solution (Static Port)
To fix this without a permanent port forward, you must enable Static Port in pfSense's Outbound NAT. This doesn't open a hole to the world; it simply tells pfSense: "When this internal IP sends UDP traffic, do not rewrite the source port."
Navigate to Firewall > NAT > Outbound.
Switch to Hybrid Outbound NAT (if not already).
Add a rule at the top:
Interface: WAN
Protocol: UDP
Source: [Friend's WireGuard Internal IP/Port]
Destination: [Your Public IP]
Translation: Check Static Port.
In my experience, Cisco ASA does source port persistence by default (when it can’t do it then it falls back to random), fortigates can do it (in various ways depending on version, although fallback method in the map-ports doesn’t work), juniper SRXs can’t, unless you guarentee a 1:1 map.