I don't think it's going to work to have the same public IP subnet on both the router WAN and the DMZ. It won't know where to route. I think you'll need to use 1:1 NAT to forward the IPs to the DMZ servers. re: outbound NAT try Source: IPofServer1/32 Destination: any (the Internet) NAT Address: publicIPofServer1 Also remember to set up firewall rules on the DMZ network allowing access out. They only exist by default on LAN.

Perhaps using pfctl or something?? Need some help in this issue. Thanks.

@xeba idk, could be a combination of this https://redmine.pfsense.org/issues/11716 https://redmine.pfsense.org/issues/11568

@viragomann Thanks for the explanation. appreciated.

@derelict thanks a lot

@summer Best way to do is to add the VLAN to the remote OpenVPN settings to add the route, but if I understand you correctly, that's not an option for you. So yes, you can go with masquerading. Rules can be added on the outbound NAT tab. If the outbound NAT is still working in automatic mode switch to hybrid first and press save. Then add a new rule with settings like these: interface: <the VPN interface> source: select 'network' and enter the alias you've set for the permitted clients destination: <the remote LAN> translation: interface address This presumes that the tunnel subnet is routed to the VPN endpoint on the remote site (that it's the default gateway). Otherwise you may use any unused IP out of the LAN subnet. Also ensure that there is a firewall rule in place on the VLAN which allows the traffic to the remote LAN.

@pkx232c I think that pfSense do no spoof the RTCP traffic and do not define a NAT nor a port forwarding. What needed is a spoofing the RTCP traffic and setup and NAT or forwarding for the "client_port" in the RTCP-SETUP message. As i have seen, other firewall do this. I have found the same tool (designed for OPNSense) and i hope for a solution on pfSense!

@viragomann thanks a lot for helping out

@serbus Just saw the latest video from Tom Lawrence and it seems to be a bug in the software we are using. So the solution will be to roll back.

I remember doing the upgrade 15.03.2021 from 2.4.5-RELEASE-p1 (amd64) built on Tue Jun 02 17:51:17 EDT 2020 FreeBSD 11.3-STABLE to 2.5.0-RELEASE (amd64) built on Tue Feb 16 08:56:29 EST 2021 FreeBSD 12.2-STABLE Before that, however, I made a backup of the whole image. Now I have restored pfsense from backup and everything works. Now I'm afraid to upgrade because it will go wrong again. There will probably be a bug in version 2.5.0

Like I said if the health check that its doing doesn't work for whatever reason - it thinks the backend is down, then yeah you get a 503.. I never went into looking any deeper to why say the http check doesn't work for ombi service for example.. Because I only have 1 server, there is little need to actually know if its up or not for loadsharing, etc.

Hello. I think the OP asked for specifically an "allow list" at firewall level additionnaly to the win SFTP server whitelist. Then it means to me he want to know how best to make an alias in pfSense with multiple IP that are already whitelisted SFTP side. @Smoothrunnings If you want/can do it manually, you set up an alias with CIDR adresses as you want (either /32, or whateever mask you need, sometimes a whole subnet is preferable, sometimes not depending on your case). Or if you want to automate it, you can use URL aliases (URL link to an automated generated text file with all IP/CIDR in it, generated by SFP server or something and made accessible trough a internal/minimal web server for exemple) You can check here the full doc as they are more possibilities : https://docs.netgate.com/pfsense/en/latest/firewall/aliases.html And when your Aliases are ready, you just need to specify them in "Source address" for your port forward rules to the SFTP server.