@kiokoman sorry outbound rules are for all the lan yes so nas itself also

@viragomann Good works great however i have one problem that i had before my website times out when connecting to my static ip (which is port forwarded to my nas) from outside (and inside my lan except the http port which loads the gui of pfsense and not my website) here are some pics

what do i do wrong ? basically when i try to connect to my static ip via web ssh etc it times out

Thanks

pf11.png pf22.png

@MarkCabrera
So the "modem" is a router indeed, or what are you trying to set up?
What did the ISP give you?

this fixed my issue for anyone else finding there way to this same issue alt text
https://www.reddit.com/r/PleX/comments/77b151/can_access_server_via_browser_but_not_apps/

@AkkerKid-0
pfSense applies only one single filter rule on incoming packets. But there is a strict order and the first which matches gets applied.
See Rule Processing Order for details.

hi @johnpoz so i ended up rebooting and started to work, very odd cant seem to find out the issue

@dmayle Self-replying here.

It looks like I should be using a VIP (Virtual IP Address) of type "Other":

Other type VIPs define additional IP addresses for use when ARP replies for the IP address are not required. The only function of adding an Other type VIP is making that address available in the NAT configuration drop-down selectors. This is convenient when the firewall has a public IP block routed to its WAN IP address, IP Alias, or a CARP VIP.

@SteveITS Correct, but this is in relation to NAT reflection, so the IP is being accessed externally.

I just didn't understand this setting until now. All it's doing is NATing the source IP to the routers IP on that interface, this way if the client tries to connect to the web server's public IP, but the web server is on the same subnet as the client, the web server itself sees the connection coming from the routers default gateway IP, this way it responds back to the router instead of trying to direct connect to the client (since they're on the same layer 2), so that the NAT reflection can NAT things back like it should.

I was trying to figure out why NOT having this setting enabled under Advanced > Firewall & NAT was still working, but that was simply because the NATing of the source was not necessary since the web server is on it's own subnet, so the web server is going to reply to the default gateway on it's subnet regardless.

As for split DNS that is exactly what I would normally do, but this is a bit more complex of an environment, but NAT reflection works perfectly in the meantime, I was just trying to be sure I fully understood the settings I was looking at.

All makes sense now though! Appreciate the replies here.

Hi Derelict!
I am in the exact same situation as NekoSema and tried to solve it the same way, before stumbling upon this thread.
I already did what you said, except for:

"X.X.28.3 needs to know to route traffic for X.X.96.0/24 back to pfSense. (Guessing on the subnet since it was unspecified.)"

I don't know how to accomplish that. I thought it might be a static route, but I don't know how to define it.
I know this thread is old, but it is the exact description of the situation that I am facing.

@eiger3970-0 said in I port forwarded, but why is port still closed?:

run VM OPNsense

I think your lost..

vm router pfSense 23.1.11_1-amd64

There is no such version of "pfsense" - again your on the wrong forums.. Ask over on the software your using forums.

But common issues with port forwarding, is the port never actually gets to your edge, sniff on your wan to validate traffic is actually getting to your router that is going to forward traffic. Where your forwarding has its own firewall, that is not allowing the traffic, your using the wrong port, or the port your app is listening on is different than you think, or its not even running. Or you device your forwarding to isn't using the device your forwarding from as its gateway.

That is an odd place for it to throw an error. It suggests it had a problem writing that file out.

Gut feeling says it may be hardware (e.g. disk/ssd) but it could just be the filesystem if it's UFS. Running a filesystem check a few times might help.

If the disk is using ZFS then it's more likely to be hardware.

@Octopuss Ha, problem identified: ESET Smart Security's firewall. I have no idea what it does, but it blocks this. I forgot the software had actual firewall in it. Now I have to dig into the settings, bleh.

@viragomann Thanks, that's got this working now

@cysec
So obviously the Windows machine is not able to resolve host names.

As you've did the network settings on the vm manually, you need also to configure a DNS server to be used. By default pfSense provides the DNS resolver, so you can set the pfSense interface IP as DNS on Windows.

@viragomann , thank you.

It was indeed a floating firewall rule that was causing the problem.

After disabling it, all is working as expected again.

@viragomann
Cool! Thanks for the suggestion.

@3Texans By any chance, did you get it to work? I moved from Ubi Edge router Lite to PfSense and Obi200 GV config is broken for me. Would really appreciate if you could throw some lights in case if you were able to fix it.

Lets hope it is for a good cause.

Update, I Was never able to get this working properly, but Now that the 2.7.0 update has been released, once I updated, everything is working as expected. not sure if it was some sort of Hyper-V Driver issue, or some other bug that was fixed in this release.... just glad I can utilize my secondary internet connection better now. thanks for all the help!

@SteveITS Thank you! It was not. One other thing I forgot was I had DNS over TLS and some off these settings weren't properly configured. (https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html) with this properly configured even my work PC which tries to leverage a cooperate DNS server is forced back to my resolver (which properly resolves to my LAN address inside the network). At some point I will try your option which is also a great solution.
Thanks for your reply!
-b

@DirectRaw If that packet capture was on the VTI, it means your routes on pfSense1 are correct.

What about pfSense2? Do you have a route to send traffic to destination 172.19.0.1 through the VTI?

@ivarh
The outbound NAT rules are applied to interfaces. So they have nothing to do with gateway groups at all.
If you want them to specify only once for multiple interfaces, you can create an interface group and apply the rules to this.

@GameHoundsDev said in allow access from internal device to another internal device:

I am trying to allow internal VM to communicate with another VM

You need both

Ethernet level 2 connection. This is most easily done by having them on the same LAN. Within Proxmox that is done most easily by having them on the same bridge (the virtual equivalent of a physical Ethernet switch)

IP routing (if you intend to use a WAN IP to access a local LAN device). Look at NAT reflection

@fejzulla-neziri said in advanced configuration:

also services dns resolver
Host Overrides added domains but nithing

This is the preferred method to go, presumed your local computers use the DNS Resolver to resolve host names.

So ensure that they do conventional DNS requests, not DoH.

Consider to redirect all DNS requests to the localhost on all internal interface and to block DoH with pfBlockerNG.

Also ensure that you firewall rules allow access to the web servers.

@keyser thanks again

Bluntly, no. Not without a much better documented use case for this patch, along with tests and some sort of indications that the author (or someone...) will maintain it. Right now it is abandoned, and doesn't even apply any more. This patch makes fairly deep changes to the NAT code, changes which I currently do not understand and do not have the motivation or energy to study. If it gets committed and breaks something I'm going to be the one who has to fix it, so ... no, not unless someone can present a compelling case that this actually improves anything, that it is correct and that if there are issues they will work on them.

From the freebsd forum,I guess the pfSense guys can make it ?

@Matt_Sharpe said in NAT over IPSEC to private network:

It is not PFsense on both sides. However considering the NAT required is happening on the target side which is a PFsense. I assume this is the best place to ask :)

But the other site doesn't accept the multiple phase 2, as it knows only one, I guess.

Again, check the logs to find out, what's wrong.

@JonathanLee Thank you.

@emc

This issue has been fixed. NAT is working. It was a firewall issue in the PBX. I've whitelisted the IPs on the PBX's firewall and it works. Thank you everyone for your help.

@uz890ed so you disabled the 80 redirect on pfsense?

Validate that pfsense is not listening on 80, simple sockstat

[23.05.1-RELEASE][admin@sg4860.local.lan]/var/unbound: sockstat -l | grep :80 root nginx 90402 9 tcp4 *:80 *:* root nginx 90402 10 tcp6 *:80 *:* root nginx 90166 9 tcp4 *:80 *:* root nginx 90166 10 tcp6 *:80 *:* root nginx 90115 9 tcp4 *:80 *:* root nginx 90115 10 tcp6 *:80 *:* [23.05.1-RELEASE][admin@sg4860.local.lan]/var/unbound:

I then turn off the redirection..
redirect.jpg

[23.05.1-RELEASE][admin@sg4860.local.lan]/var/unbound: sockstat -l | grep :80 [23.05.1-RELEASE][admin@sg4860.local.lan]/var/unbound:

Adding a network diagram, which I hope helps better describe the problem.

Dual WAN Issue-Page-2.drawio.png

@johnpoz thanks for the tip and i did the same test.
Window on top is WAN and on the bottom is LAN. I just captured 10 packets from each interface and seems it is pretty fast so the culprit is not the NAT.

a243489b-bc55-49e5-87b2-747bd73a304f-image.png

Found though two solutions but still not why it is happening.

Remove Accept-Encoding header from the http request - result is very fast.

Using a reverse proxy with https is still fast with and without the Accept-Encoding header