@lonmarlon Set the hostname to resolve to that public IP...? Or if it is already set, then likely the webmail server isn't set to use that hostname. Unless you've installed a reverse proxy, there's nothing in pfSense that knows what hostname was used. The packet arrives for IP "n" and pfSense processes it.

@viragomann

So I just took another look and I think I can confirm that the packets do go back over the ISP network (because I see that the packets try to go through my ONT in both directions) - thanks

Yes, I noticed this and it's quite strange to me. I'd had ideas for reasons if it would behave the other way round.

The main reason why I tried TCP in the first place was because I saw this post on serverfault.

I don't think the scenario is quite the same, but it's the only thing I've found on the internet that had any semblance to my issue (where the port #s change):
65d9f08d-212c-4fea-907e-4511765fc9a7-image.png

Since you don't provide IP addresses, I'm missing the needed information to investigate.

Here's the previous packet capture of when I tried to connect to the VPN server from within the ISP network (where pfSense WAN IP is 50.x.x.x, the ISP WAN IP is 75.x.x..x):

0b611736-20e8-4962-833d-87b604ed0e08-image.png

And here's the packet capture when I connect to the VPN server from an external network (where 207.x.x.x is the IP of the external network):

3db70683-6491-4481-920d-ba53f95243d0-image.png

thanks dear its working now. 👍

@bibawa said in Redirect internal Ip > External:

it's not possible to change the ip address in the code

I find that hard to believe - where did this app come from, written in house and now the writer is no longer with the company?

Should of pointed to fqdn not some IP.

Anyway - assume your pfsense has an IP on this 192.168.6 network? If so then create a vip so it answers arp for 192.168.6.13

Then create a port forward sending the traffic where you want to send it. If the sender is on a different network that routes through pfsense say the client it on 192.168.5/24 for something then you do not need to create the vip.

@johnpoz
sorry sir, I forgot to give the example, but the topology I made remains the same as drawn, it's just that I recreate the VM with a different IP.

No sir, I installed the IDS/IPS on pfsense, and Snort/Suricata will secure the network (intrnet1), namely the web server itself.

I've added a topic to the link you provided, please respond back, sir

@sensewolf said in Need to convene the brain trust on DNS rebinding issue:

What I am saying is that pfSense should tell server1 server2's private IP when server1 looks for server2.example.com. But pfSense doesn't.

Huh??

If you setup a host override for server2, any client that asks pfsense would get that response..

As already stated if your unbound is getting that address from some other NS, and its rfc1918 then it would be a rebind.. You can set the domain example.com to be set as private, and then it would hand the client the rfc1918 just fine..

example of this plex uses a special fqdn to find the IPs of your server, be it public address and its local rfc1918 address..

So you set this domain as private in unbound custom option box
private-domain: "plex.direct"

And now it can find the rfc1918 address. That it got from public NSers out on the internet

@pop69er said in Using external ip/domain to access lan computer inside lan:

the domain address is jer-bear.ca.

I don't understand the term "I cannot access my LAN computers from my domain name address".
I have no idea what you mean with "from my domain name address" in this context?

Your outbound NAT rules might not be responsible for this issue, I think. But there are some useless and wrong rules, which you can remove to clean it up.

You can remove the rule numbers: 1, 3, 4, 6 (all WAN rules).
All these rules are also automatically created by pfSense as seen below.
So only the rules for the VPN interfaces are still needed.

As the automatic rules show, you have two local networks: 192.168.10.0/24 and 192.168.15.0/24. But at this time you have only for the first one rules on the VPN interfaces.
If you also direct traffic from 192.168.15.0/24 out to the VPN connection you need to copy the rules for 192.168.10.0/24 and change the source network accordingly.

I update you, I actually rationalized the need ... the 192.168.30.x had to be the gateway for the 172 network, in this way the device that interfaces to the PLC network on 172 could actually route the traffic between the two networks . I really thank you for the speed and availability you gave me in your answers.

@mleighton

Sorry, im just new here. Im using PFsense/NETGATE

@steveits That might just do it, thanks, will have a play with that, never noticed the option below regarding gateway on a rule. Just done some testing and looks good but need to do some more. Thanks for that.

@johnpoz said in Is there a bug with NAT? Just trying to redirect traffic from 1 IP to another, nothing works.:

@genericuser8674 how is it a bug that it doesn't list any? That is not a "bug" that is a feature that is not available in that version.

Post about a bug in 2.6 CE.
Proceeds to test it on 2.7 and say iT's A fEaTuRe, NoT a BuG!
🤦

@combat_wombat27 said in Just trying to forward 443 to an internal server:

both of those match the one I'm using and see in pfsense for the WAN side.

Huh - look in your state table for the source IP that is talking to your 192.168.1.4 -- filter on that..

You really should update 2.4 has been eol for awhile.

@chrisccc @stephenw10

@modesty
Maybe the NAS blocks access from outside now.

To investigate run a packet capture on the NAS facing interface, filter the port for 7172 and try to access it from outside.

Check if you see request and also response packets. If there is nothing run a capture on WAN.

@skilledinept “back away slowly“ as they say.

I recall now when I first set up HE I had to reboot for it to work. Reproduced, entered bug report, and couldn’t get it to happen after that.

@aadrem said in Nat does not work with IP pool:

I checked the advance configuration of PF sense and I discovered that reply-to was disable in that section.

To be honest, I didn't think of this option, since it isn't disabled by default.

But I'm glad that you got it working.

hello I'm new to this Pfsense thing and I am having trouble as well.

I'm not network savvy like you guys but I'm ok at it. Description about my set up is a PPP0E connection like this:
nbn box >pfsense > switch > to other devices(plex,tvs,PS,PC,etc).
my problem is i cant get any ports to open status.

under:
-Interfaces/WAN i have
*Block private networks and loopback addresses
*Block bogon networks (both ticked)

Untitled0.png

-System/Advanced/firewall & NAT i have
*Pure NAT Enable
*Enable automatic outbound NAT for Reflection (ticked)

Untitled1.png

but my NAT Rule for my plex server will not open or any port that i try to create in fact

Untitled.png

even this Outbound settings

Untitle.png

all i want is for plex media server and PS4 ports to be open.

am i doing something wrong, also if you ask me to do that capture thing, your going to have to walk me though it lol...!!! please help i have been scratching my head at this for days now and hope its an easy fix...!

Update:
Speaking to Chelsio support, they suggested setting "hw.cxgbe.buffer_packing=0" in "loader.conf". This resolved my issue.

@johnpoz Sorry I didn't get back to you sooner,

I ran out of time to trouble shoot and ended up spinning up a quick ubuntu instance and doing a DNAT using IP tables.

I did run through your example without success, I could see the messages hitting the destination on the correct port but it wasn't replying for whatever reason.

Seems to work fine using a IP table, I guess the DNAT is successfully making it appear as the messages are originating from the 110.0 subnet and satisfying whatever siemens have going on.

@nycynik Did you ever figure this out? I just got an Obi-302 and can not get it to work behind an AT&T BWG-320 in pass through mode and then a pfsense firewall. Ooma worked fine but this doesn't.

@johnpoz thanks for the advice. I'm not a pro that's why I'm asking for help to people that is actually doing it and tried to do it before. And also want to learn more about the process involved behind all these. Thanks again

@demux
AT least if client and server are connected to the same interface (request are coming in and going out on the same interface) pfSense turns the source IP into its interface IP.
If they are connected to different internal interfaces it might be the origin source IP, don't know.
But it's never the WAN address.

@easy-hostingnz It defaults to disabled. Enabling it there enables reflection for all rules. Alternately you can edit a NAT rule and change NAT Reflection from "system default" to enable it.

Reflection sends that connection/traffic through the router, while split DNS doesn't use the router because the devices uses a LAN IP. If the NAT doesn't translate ports then either will work.

@kom As it happens I started at step one, describing deleting and starting fresh each offensive rule. I also ensured to add logging to the WAN firewall rule that is automatically generated. I'm not sure how that should've helped but it has seemingly solved the issue. I have yet to be able to try logging into the host from an actual outside source but so far the program used to log in has a browser method that seems to be different from connecting via LAN. Thank you again, I'll be leaning heavier into the documentation in the future.

@hrustakv I fixed the problem. I didn't have a bridge built over the WAN, only on LAN ports. :)

This is exactly what I had tried to do, as this has always worked in previous versions. However, I can configure this in whatever VPN tunnel, but it is not applied. The pfsense acts as if the P2 does not exist and I see that no NAT is applied. I can't find any error in the log files either. Doesn't anyone else have this problem, I can't imagine it. Especially since my configuration for the PFSense is now also not so very extensive.

@kiokoman

Automaticaly generated, dont edit manually. Generated on: 2022-06-03 22:53

global
maxconn 1000
stats socket /tmp/haproxy.socket level admin expose-fd listeners
uid 80
gid 80
nbproc 1
nbthread 1
hard-stop-after 15m
chroot /tmp/haproxy_chroot
daemon
server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
bind 127.0.0.1:2200 name localstats
mode http
stats enable
stats admin if TRUE
stats show-legends
stats uri /haproxy/haproxy_stats.php?haproxystats=1
timeout client 5000
timeout connect 5000
timeout server 5000

frontend frontend80
bind xx.xx.xx.xx:80 name xx.xx.xx.xx:80
mode http
log global
option http-keep-alive
timeout client 30000
acl expressite var(txn.txnhost) -m beg -i www.expresxxxx.com
acl expresmail var(txn.txnhost) -m beg -i mail.expresxxxx.com
acl ramsite var(txn.txnhost) -m beg -i www.ramxxxx.ro
acl nappasite var(txn.txnhost) -m beg -i www.nappaxxxx.ro
acl emisite var(txn.txnhost) -m beg -i www.emimaragro.ro
acl expresrosite var(txn.txnhost) -m beg -i www.expresxxxx.ro
acl rammail var(txn.txnhost) -m beg -i mail.ramxxxx.ro
acl nappamail var(txn.txnhost) -m beg -i mail.nappaxxxx.ro
http-request set-var(txn.txnhost) hdr(host)
use_backend backend-http8080_ipvANY if expressite
use_backend backend-http80_ipvANY if expresmail
use_backend backend-http8080_ipvANY if ramsite
use_backend backend-http8080_ipvANY if nappasite
use_backend backend-http8080_ipvANY if emisite
use_backend backend-http8080_ipvANY if expresrosite
use_backend backend-http80_ipvANY if rammail
use_backend backend-http80_ipvANY if nappamail

backend backend-http8080_ipvANY
mode http
id 100
log global
option log-health-checks
timeout connect 30000
timeout server 30000
retries 3
option httpchk OPTIONS /
server website 192.168.1.4:8080 id 101 check inter 1000 weight 250

backend backend-http80_ipvANY
mode http
id 102
log global
timeout connect 30000
timeout server 30000
retries 3
option httpchk OPTIONS /
server webmail 192.168.1.3:80 id 103 check inter 1000

I can register the client to the PBX. The problem is that I have no audio at all.

Something with the RTP traffic.

When I connect the PBX and client to openvpn I have no problems. Everything works.

The problem arise when I try to use pfSense public IP. I think is something with the UDP Nat

@c-amie said in [Bug?] pfSense empirically causing legacy WordPress sites to fail:

We have no control over what internal code to someone's WordPress site is doing.

Valid point.. One way to fix it would be to put the servers actually on a public IP via routed network behind pfsense.

Hi,

to complete the topic: the patch worked for me and solved the issue.

Thank you

@mistermince Have you opened the ports on the firewall rules as well or just created the port forwarding rules?

Can you post screen shots of you rules and port forwards?