@viragomann it works like a charm. can't thank you enough for your directions.

@viktor_g Thank you for letting me know.

Regarding my "hack", today I noticed that the dyndns.update cron-job failed for IPv4 with my cloudflare "clients", the RFC 2136 "client" had no problem with IPv4.
I then removed the virtual-IP, only had 6.6.6.6 in the UPnP & NAT-PMP Settings and dyndns.update is working again and UPnP is still working!

So the only thing someone has to do is to put in some random public IP in Override WAN address in the UPnP & NAT-PMP Settings, to get it working behind a private IP?!
Is it so easy?
No need for a STUN Server and all this nonsense??
I really don't know, why (mini-)UPnP needs to know the public IP in the first place.

Yes, the Openvpn makes a routes at A for 192.168.110.0/24.
But i think the problem is at B, because i cant see any trafik leave the OpenVPN interface connected to A, when i ping a host at 195.80.240.0/20

Thanks great share link

Yesterday I updated my pfsense at my office from 2.5.0 to 2.5.1. A few minutes later, I tried to access to the cameras and didn't work (I access to my CCTV using NAT). Later I discoverd this issue in the forum. Fortunately, today I upgraded to 2.5.2-BETA and the issue was solved. The only problem that I have after the system updated was pfblocker (the DNSBL ). I reloaded the DNSBL. After this, all seems working properly.
What i learned from this event is to check all the forums first before an update.

I'm been using pfsense since 2018 and never has this issue.

I'm really surprised because NAT is the most basic option of any firewall.

Hope this helps to anyone who has the same issue.

@freyja

I said from the beginning that I wanted to replicate the configuration I had with my pix as the netgate act a replacement.

That isn't an explanation for the reasoning behind the method. I understood you wanted to make it the same as what you had before. That's not hard to understand. The question was 'why do you want it that way?' What problem does this solve? That's all.

All my configuration is based on that and despite the fact you disagree, I want to mask my internal network for things such honeypot for example.

I don't necessarily disagree when I don't know all the details. That's why I was asking. You said earlier that you wanted to mask your network but I didn't understand the context nor did John. Usually a DMZ is completely isolated from LAN which is its entire point, and any required access is strictly controlled via rules. It's unusual to have a DMZ that needs to talk to LAN so much.

It's not because you do not understand the usefulness of what I want it's illegal.

I'll definitely admit that I don't see the usefulness of what you're doing.

And such a supposition is quite surprising.
I said what I wanted to do, you just don't listen.

No, you said things like 'mask my network' and 'several reasons' but you never actually gave any specifics. Two of us were confused so you weren't as clear as you think.

1- reproduce what I had before just not to have to reconfigure everything
2- mask my internal network because I don't want people to be aware of it.

Got it. I don't know how that would help you though. Yes, I understand that you are going to keep it this way and I have no problem with that. I'm just curious. How would people who interact with your DMZ be aware of what's on your LAN? Someone who cracks one of your DMZ servers will see what it's talking to and try to exploit that regardless of its DMZ vs LAN IP address.

But still you're pushing over and over because it sounds overcomplicated for you but at the very end it's my problem if it's overcomplicated, right?

It doesn't sound overcomplicated. It sounded like it didn't make any sense. I was asking for details because I thought I was missing something.

I've never seen such aggressive people about simple tech questions, really I don't understand what you are trying to do there.

Every single day here, new users decide to do something using an incorrect or sub-optimal method and then they ask specific questions in order to reach their bad end instead of asking for the best way to do something using pfSense. I thought that is what you were doing so I asked questions trying to determine what problem you needed to solve.

I've started eluding your queries because I had answered them and didn't want to go in an argument fight and having to justify my setup.
You make me feel I want to pack back my netgate and return it.

This has nothing to do with Netgate.

I've worked with Cisco, Nokia, McAfee, checkpoint firewall and never seen such agresisvity from a tech community.
I'm starting feeling your are acting like that because you've seen I'm a girl and think I don't know what I'm doing.
Don't make me think it's just a misogynistic behavior.

How would I know you're a woman, and why would that matter?? My entire knowledge of you is from this one thread.

That's said, I'm not doing anything illegal, i just wanted to reproduce my Pix configuration to simplify my life and don't have to reconfigure every service I'm using and that's all.

Understood. Thank you for making it clearer for me. I think this has been one big misunderstanding and I will not trouble you again.

@steveits Saw the reply loop on the article, it seems plus version should not have this issue, mine is plus version. TT

@peterlecki The interface was not given the whole block. It was given one interface IP address and a subnet mask.

It is up to the administrator to assign IP addresses if it wants the firewall to respond to ARP requests. In many cases it is desirable to not respond to ARP there, especially when using routed subnets.

Solved

@testcb00 said in 2 WAN&1LAN setup, NAT not working:

Do you mean that I can do some config in pfSense to get the IP A (second WAN) port forwarding function?

As I mentioned, it depends on the capabilities of the router in front of the WAN interface. I don't know it. If it does masquerading incoming traffic it should work straight forward.
Some consumer routers do this by default.

Masquerading means that it translates the source IP of incoming forwarded packets into its own internal IP (also known as SNAT). This is what the outbound NAT does on pfSense.

@johnpoz Thanks again for the post. I upgraded to devel 2.6 and tried it. Traffic on the FW is passing with green check marks, it doesn't seem to be working. In fact, my hybrid NAT with the rule I have in place doesn't work either as in the previous version AND on top of that, I re-enabled the LAN rule I had where it would make that host's IP use the secondary gateway that was working...and it is now NOT working.

** Edit: The LAN rule must have taken a minute, it is working now BUT still same problem. It no worky with secondary WAN like it says in the redmine post

Truly and enterprise product. SMH

The folks on the redmine post that think it is working in 2.6 devel aren't correct because it's clearly not working.

@scolby33
So in this case, you have only to add a virtual IP to the WAN within the modems subnet, I guess 192.168.2.0/24.
Then configure the NAT for this IP as described in the guide.

Great, thanks :)

@kom
I added it and there was no change
So I deleted it

At the moment it works
does not bother me to wait another 30 seconds for it to appear that it is "connected"

Thanks

@coldfire7 I am sure about it, because I had to create a vpn killswitch for that, so... 😊

@dzinks You'd need two pfSense routers connected via their WAN interface.

192.168.1.0/24 can't exist on the same router with different interfaces.

You'd need to do a 1:1 NAT on both routers with different addresses poining to 192.168.1.0 for Production and Sandpit.

https://docs.netgate.com/pfsense/en/latest/nat/1-1.html

https://www.netgate.com/resources/videos/nat-on-pfsense-23.html

@jms123 said in 1 : 1 NAT and outbound NAT:

1:1 NAT overrides any outbound NAT

All traffic originating from that private IPv4 address going to the Internet will be mapped by 1:1 NAT to the public IPv4 address defined in the entry, overriding the Outbound NAT configuration

@skilledinept said in Disguising a device behind 1:1 NAT:

I'd like to disguise HOST's real IP address from the rest of the network downstream

For what purpose? Just at a loss to why anyone would want to do this?

I just looked in the games forum seems this is raised alot. Might read through the threads in there as seems some have it working on the Xbox thread so may work with mine. The game is modern warfare and the game I play is cold war but all the ports are the same so should be the same outcome. Now to find time and dust off my router lol

@jfre9193 I believe that is related to this:

https://redmine.pfsense.org/issues/11805

@KOM No, the default rule should be fine.

@averagecdn I don't think you can do it like that in an asymmetric routing situation. You forward from the device that controls the server's traffic.

@acnic
The failure of that bug is that pfSense is sending reply packets ever to the default gateway. So if you're on CE 2.5.1 and the DSL modem is not the default gateway, you will be affected.

but if i connect to the LAN of the DSL modem and try i.e 192.168.2.2:80 it works as it should

When you're in the DSL modems LAN and access pfSense, replies have not to be directed to a gateway.
This also means, that you can do a workaround by masquerading incoming packets on the DLS router if it is capable of this function.

Nobody has any suggestion?

@testcb00 said in Two public IP (A/B), one DHCP, how to make specific internal IP use IP B?:

Will it brake the network? or it is normal to make outbound like this, and make new outbound to overwrite for specific Hosts?

No it shouldn't. Your new rules only apply to that one client. Everything else goes out the default WAN as per usual. Test it and see if there are problems.

simple solution would to just be a source nat.

Outbound nat on your iot interface that nats traffic to your pfsense iot interface IP.

Now this devices thinks any traffic be it coming from an openvpn connection, or even your lan thinks its coming from pfsense iot IP which is in your iot network.

@SteveITS Hi Steve, I followed your advice, reset all the rules and following the following link, redid the rules, All working! thanks to the availability!

https://www.3cx.com/docs/pfsense-firewall/

@kom
It's gone from clipboard and logs now. I removed it initially to not expose public ip.

The real question is what I did to make it work because I was using port 5761 until just recently reverted back to port 5760.

How would 10.41.1.1 ever see your public IP as source? Other than the IP to create the vpn tunnel. Traffic inside the tunnel would look likes its coming from whatever pfsense gets for its tunnel IP after creating the vpn.

For you to use your downstream network like that - would have to be setup. the network on the other side of the vpn would have to know to route traffic down the tunnel to get to your 10.36.45 network..

So your natting on pfsense to this 172.21.36.2 address now? If you don't you have the ubnt setup to route this traffic via your transit?

@varyuhin-anton that's correct!
For now the process is very manual, but I least we have my Pfsense outbound NAT working, this issue affected our operations :(

We'll wait for the full fix.

@gswhite
Oh yeah, now I see what your issue is! I didn't realize, that the 'WAN address' alias can not be used in NAT 1:1.

You will have to go with normal port forwarding. There you can select 'WAN address' from the destination droptown, which works with the dynamic IP.

The outbound NAT is set anyway correctly to the single WAN address.