I am stumped. Trying to create a simple forwarding rule and I keep failing.
I need any port 80 request from outside or inside networks, to be routed to a certain internal IP, port 8504.
All my trials failed.
Inside my network, I can access directly that :8504
As you are trying to create a Port Forwarding rule then you need to set the NAT option in the firewall rule creation and from your screenshot that is not selected.
The wiki gives more info on creating a Port Forward firewall rule and Step2 in the followeing link covers the NAT section.
https://www.ipfire.org/docs/configuration/firewall/rules/port-forwarding
The second picture is with NAT selected.
But the source port is 80. Usually a web access packet is
(<sourceIP>:<someport>,<destinationIP>:<80>, .... )
I had to take out (leave empty) the source 80 and put in only the NAT 80. Then it worked.
That’s confusing…
No, see my comment. 
I guess I don’t understand the word “source”.
To me the source is the device that initiates the transaction. Source like my phone trying to reach, over port 80, my self-hosted server (destination), at server port 8504.
If I left the “source port” empty, the External port NAT 80 was taken into consideration.
All good, thanks!
The port forwarding rule guide is correct for WAN port 80 redirect.
But redirect all port 80 inside network traffic, I would think the source would have to be firewall->all. But I think your request for this is for something its not suppose to do anyways. Because the only applicable function for this would be a web portal. Which is done elsewhere.
This is not a web portal because it goes to my other (Ubuntu) machine, on a different port.
So you have multiple web sites on one network, but using ports (default Apache method) instead of using host names (default Nginx method) and one server for multiple web sites.
Just one website, but it’s not on port 80 because possible conflicts with some other similar software.
It’s an ADS-B tracking site that I like to be available to me from internet.
No-IP free web name.
It works now, the forwarding setup was confusing for me.
Have you read www.ipfire.org - Creating a Port-Forward Rule and www.ipfire.org - Network Address Translation Reference ?
Yes. I didn’t understand initially the purpose of “Source port”. I missed the part that was saying to leave it blank.
It’s kind of confusing to even have that option there IMO.
* Choose a protocol, TCP, UDP are the most common.
* Source port: = Blank, This is the port the client was using to talk to you.
* Destination port: = The port the server is listening to.
* External port (NAT): The port number the rest of the world will talk to, normally "Blank" for the same port as Destination port.
I mean… I put initially 80 in both sides and it wasn’t working. Leave that one blank, and it works.
I appreciate all your work and effort.
Sometimes for a newcomer like me is not clear what an option means. I’m not uber hacker, however I think I know enough to be dangerous. For myself 
Your first rule
redirect (sIP:80,publicIP:80) —> (localIP:8504) works, but very seldomly ( never? ) the sourceport is 80.
I don’t know why the sIP:port would be different from publicIP:port.
Maybe for some that would be helpful, but in my case it wasn’t working with both set at 80.
It works perfectly with the first one blank (like in the picture), so IMO that could even be greyed out when NAT is selected.
The only reference to “Source port” is that one… leave it blank. And I miss read it.
+1 @bbitsch
one thing to point out in addition to this, is blank + “any” on source port.
The only other setting is source NAT which automatic works, but really red is the only valid entry. Also, you would add the public No-IP host name in the hosts. Then finally add another firewall rule like this for UDP.
Added the No-IP host already, thanks.
I don’t have a UDP connection, just TCP 443. I travel a lot and UDP VPN is blocked by a lot of free Wi-Fi providers overseas.
Its just common practice for web servers. Since the website is not a media streaming type, it wouldn’t matter in your case.
It would be safer to place this in a DMZ:
and this will help with changing ports:
https://www.ipfire.org/docs/configuration/firewall/rules/dmz-setup#tldr-want-to-change-external-port-from-port-80-to-8180
I want to be able to filter the access to my webserver per country’s IP.
I don’t need to have China, N. Korea, Vietman, etc. looking at my ADS-B flights.
DMZ would require me to double up of this filtering effort inside my other Ubuntu machine.
