It works the same for LAN to LAN (assuming that's two diff LANs, say LAN to LAN2) as for LAN to WAN. NAT just generally doesn't happen (no match where it's processing that) going from LAN to LAN.

Very true….  But I still don't feel right pulling the actual trigger on a suicide..

Question: Which two of the three external IPs you've posted should map to 192.168.0.46 and 192.168.0.51 respectively?

So you say when you browse to https://192.168.0.46 and https://196.168.0.51 internally, the pages load correctly? Is this right?

I think it may help a lot if you post your NAT and firewall forwarding rules for your WAN interface. Screenshots, please - not ASCII.

But its still an abomination if you ask me ;)  And be it a huge performance hit doesn't change the fact that its not optimal, why send traffic through or even to my firewall/router that is just going to a box sitting next to me on my own lan..

I can not think of a reason where someone would say, yeah nat reflection is the best way to do this.. I see it as a work around for bad design choices sure.

In passive conection servers says come talk to me on port x
http://slacksite.com/other/ftp.html

So u have to forward those ports

But from what u were showing its not even making a control connection

Excellent.

Solved!

Interface: LAN
Protocol: TCP
Source: Any
Destination Port Range: HTTP
Redirect port range: 192.168.2.1 (Debian)
Redirect target port: 80

@Derelict:

So you didn't enter a VIP in Firewall > Virtual IPs you just selected other and entered it there?

Learn something new every day. Didn't know you could just enter an arbitrary address there. Good to know.

Yes, that's it. Hard to explain… because it expects a network and I entered an IP (/32)...

Packets matching this rule will be mapped to the IP address given here.
To apply this rule to a different IP address than the IP address of the interface chosen above, select it here (Virtual IP addresses need to be defined on the interface first)

Regards!

And the answer in my case was setting the modem in bridge mode.
For KD customers it's a fairly simple online activation process.
Now my pfSense's WAN gets the public IP directly.

SOLVED.  Thanks.

Hi!

Thanks the answer.

So.. I ty again…

Two type of sites are. One is DSL line they connected via public internet acces to vpn servers. The second is connect via Middle Aera Network (multi sites connected via wlan) to vpn servers.

first pf-sense handle the database connection from sites. the second pf-sense handle the file related connections from sites. the first pf-sense have 2 internet connection, a MAN connection and several internal lan connection. The second pf-sense have a very fast internet connection, a connection to first pf sense and a connection to file servers.

The MAN sites can't connect the internet only tough the first pf-sense.

all sites must be connected both of PfSense. but the MAN sites can it only trough the first PfSense (that hande the MAN network).

so the MAN network can't routing the second pf-sense's network, so the MAN sites can't reach them.

Therefore the VPNs destination is the first PfSense's MAN interface. the first PfSense forwarding the port to second PfSense.

The problem is, the second PfSense's response to MAN sites go trough the first PfSense but the first PfSense not translate the output packet source address to MAN interface's IP adress.

The packet go trough the first PfS and go to a network than can't handle the second PfS IP address. therefore the MAN sites can't build the VPN connection.

The diagram only the structure not showing the problem.

Thank you very much for your quick answer!

@viragomann:

@shadowconnect:

Here is my setup:

                  Gateway-1                       |                       WAN                       | Machine-A    pfSense 2.3-RELEASE    Gateway-2     |                  |                |     ================= LAN ===============

So pfSense has nothing to do with the communication between Machine-A and Gateway-2, since bothe are connected to LAN.

In theory yes, because Machine-A could directly use Gateway-2, but i don't want to change routing on every machine to Gateway-2. So i just configure pfSense as default gateway on Machine-A and Machine-A don't care about Gateway-1 or Gateway-2 und just send everything to pfSense.

@viragomann:

@shadowconnect:

There are some IP-addresses, which could only be accessed via Gateway-2. So i added a rule which just set the gateway to Gateway-2 for those IP-addresses.

If the traffic has to pass pfSense you need a static route for this instead.

I tried that already, but i had problems, when the MTU is different on Gateway-2. When i tried to ping with a length, which is 1 byte over the MTU of Gateway-2, the first paket was send and Machine-A got a response, that it needs to be fragmented. Then Machine-A send out two packets with correct size, but pfSense combined those two packets to one and Gateway-2 received one packet, which is over the needed MTU.

@viragomann:

Please explain where the captures are taken from.

Sorry, my fault, i corrected the log from Gateway, which was Gateway-2.

because your website is using host headers maybe and doesn't display anything if you go to the IP?

Your ddns is using the correct IP, and your typing in the wrong IP?

Trying to hit your public IP from inside lan would require nat reflection to be setup?

bump

anyone? thanks for help  :o

Thanks JimP

I managed to set the aliases with sticky option and it does seem to work, I will see about setting the global sticky timeout for a longer period.

I have Multi Wan balancing now, and some things just battle when they see requests come in from multi IP's, banking sites and IPTV systems. At times even setting the sticky options don't work as a website or service may have many IP's that it uses, pfsense then treats it as a new connection and it may go out a different WAN circuit, is there a way to keep multi WAN balancing but once a session from a private IP is initiated it then becomes sticky to the WAN interface that multi WAN balancing has initially chosen?

I found a solution: ssh tunnel

I might ssh into pfsense from outside, so on my laptop

ssh -N -L 1022:server_lan_ip:22 user@pfsense_wan_ip -p 2022

pfsense_wan_ip is firewall's external ip, this ip's port 2022 was port forward to pfsense_lan_ip port 22

then, ssh localhost 1022 will do the tricky.

Hey thanks for taking the time.

I forgot to update.

Issue solved, problem was ISP modem got reset, or ISP came in and resetted it.
So the firewall was turned back "ON"

after logging back into the modem and changing it back to OFF, then everything worked, as predicted when playing with the pfsense in a test environment.

Long story short, to avoid further unexpected ISP management intrusion, I disabled all the factory and ISP default accounts, changed Admin passwords, create new account for myself, and …. to really avoid further modem woes....

Set the modem in bridge mode, and now I'm using pfsense for PPPOe as I was planning to do from the beginning, that being said, Now I need to build probably a few more pfsense boxes to go behind this box, for the network management stuff, since I was planning to do Fail Over, load balance 2 WAN using pfsense in 2 physical boxes, so if one physical machine dies, the over one keeps going.

I was contemplating running 2 VM but unsure if the lag in VMware might cause network delay or not. I've seen such delay elsewhere before with other Network Apps that are VMmachine sensitive.

Anyway, that's topic for another thread.

@cmb:

https://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

Thank you very much. That worked for me well.