@Shack How is the gateway monitoring setup? Do you mean if you login to your friend's firewall, the gateway shows as offline with 100% packet loss?

If that is the case, then you might want to either change the Monitor IP on the gateway or disable monitoring completely as a test.

@Gblenn

I did get it working. I removed the Firewall LAN rules and the NAT Outbound rules and reverted the other NAT setting back to stock. The only thing I needed to configure on the PFSense side was the UPnP module nothing else. The issue I had was that PFSense was trying to perform a UPnP discovery on my local clients which was getting blocked by the Windows firewall. Once I opened up those ports on my clients, UPnP via PFSense worked perfectly. Yes I agree, I have way more ports open that what is needed, currently playing COD Black OPS 6. I will reduce the port range when I have a second.

This was on PFSense+ 24.11-RELEASE

Here is my current config:

34ec9a7c-e09e-46d7-bdbf-dc199b8cda34-image.png
92bc2a61-4a8c-41c3-b224-df7f30c28890-image.png

I needed to add the following firewall rules on my Windows Gaming PC's, port requirements came from PFSense document so I added all 3.

605a8313-1e44-411c-8f05-de89eaf1aac3-image.png

11b03718-c557-4c05-b297-501aac301c2d-image.png

As mentioned now I get "Open" NAT in BOPS6 on both PC's at the same time !

f0073c39-db45-44ae-9af0-5142e2fd4bc4-image.png

@SteveITS said in Port Forward is Ignored:

There is also the “don’t block the world, allow your country” discussion which takes much less memory.

^Exactly - I use this method.. I only want US ips and currently Belgium (family living there using my plex) - so I just allow those in my port forwards and wan rules.. This by its very nature blocks all the other ones.. No reason to load up into the tables of bad countries IP of them, all need to load is the IPs that are US and Belgium.

@Gammon

I used this guide ones to route out traffic over to a VPN, from pfSense to a VPN ISP.

@CubedRoot
1:1 NAT of multiple IPs to a single backend IP cannot work at all.
1:1 means, that packets addressed to the external IP are forwarded to the internal IP AND outbound traffic from the internal IP is natted to the stated external IP.
While the first part might be possible, the second cannot be done. Which external IP should be used for outbound traffic of the single internal? The first, the second, both alternating?

You should rather configure port forwarding rules for both external IP.

If you also want to use these IPs for outbound traffic from the server set up an outbound NAT rule for it.
You can translate it to one of them or to both alternating by adding both to an alias and use it as translation address in round-robin mode.

@Gertjan thx for the explanation.
As the problem seems to be related to the php interpreter memory pool and the computer i'm testing on (2sockets - 2 cores of a i7-6700 with 6G of ram) seems pretty weak for the use case i'm trying to to implement.
I'm gonna try to see if a can do some test on the server the app will be deploy on.

For the firewall related rule, i meant an option in the php script as the goal is to aumotate all the LXC handling process.
It works in "pass" mode but i guess it would be better with a firewall rule ?

I will give a feedback after some tesing (if they let me play with the big toys :p )

@Bob-Dig Hmm, did you try to only reboot the TS VM? How did you set up network for the VM? Firewall on or off, any extra bridging or VLAN? I have had TeamSpeak running for years without one single problem. But even so, I run two servers on separate machines and use keepalived to manage the master/backup setting...

I see now that the other ports are optional, and it's only 9987 required for voice. And it's likely the same port for the chat function so I guess it's time to close the other two...

@marcg said in Should Port Forwards work with Interface Groups?:

default NAT reflection policy?

Disabled.

@marcg Good info. That makes sense then. It's essentially a DMZ passing through the external IP. Still not sure how both the att router and my pfSense passthrough can have the same IP but I'll chalk it up to magic.

In any case, I have it working great now. I can reach my iLO gui if for whatever reason the pfsense goes down, I can reboot or reconfigure it to get everything back up remotely.

@marcg I agree manipulation of any dns should be opt in for sure.. If I want you to filter stuff, or help with my typo's etc.. I would point to the IP specifically that you offer those services up on.

If you offer such service, I should be able to point to any other dns I wan't and your not going to mess with the traffic - shouldn't have to opt-out if not pointing to your dns that is for damn sure.

Default opt-in is rarely a good thing for anything.. No matter what services they are providing - the user should have to opt-in in some way if you ask me.

One of the pet peeves I have with doh - many of these browsers like to turn it on by default, which is not the way to go about it.. If its so good inform the users and they will enable it if they want too. If you turn it on by default - tells me its not so good of a thing.. Seems like to me your trying to sneak it in under the radar.

I resolved the issue but factory resetting the Netgate device and restoring the config.

Figured it out!!

It was a docker container problem. Docker container was set to use ipvlan, so changed to macvlan.

And changed host access to custom networks to enabled.

Now I can post from my docker container.

Ok.. now trying to figure out how to access emby from wan.

@Bob-Dig said in Bug outbound nat after upgrade in 24.11:

While I have encountered problems with the implementation in CE, I don't see those in Plus.

Maybe check or delete and recreate the aliases, they can make problems too.

Reply

thanks for the blog page
After reset/kill all state, the outbound nat is ok, after reboot, also ok

@idgeng said in 2100, telstra and tplink vr2800 in Australia:

TPLInk VR 2800 modem in bridged mode

It might be so that Telstra expects the MAC address of the TPLink device? And when you connect in bridge mode, it get's the MAC of pfsense instead.
Solution would be to spoof the MAC in pfsense... Go to Interfaces > WAN and enter the TPLink MAC address in this field, and click save:

80f63931-91b8-4d12-8c8b-c4b6b387fd9d-image.png

@Antibiotic Really? And how would any of those two things be related to your outgoing ports?

@johnpoz / @viragomann / @Gblenn Thanks for all your help. I set it up that way and it was much easier, worked right away. I appreciate the time you spent helping me out on this :)

@slu Yes, exactly, if you have not changed anything in pfsense you have your default Allow LAN to any rule, unless you have removed that...
Usually this rule is at the very bottom of the rules list under LAN...