@dzinks You'd need two pfSense routers connected via their WAN interface.

192.168.1.0/24 can't exist on the same router with different interfaces.

You'd need to do a 1:1 NAT on both routers with different addresses poining to 192.168.1.0 for Production and Sandpit.

https://docs.netgate.com/pfsense/en/latest/nat/1-1.html

https://www.netgate.com/resources/videos/nat-on-pfsense-23.html

@jms123 said in 1 : 1 NAT and outbound NAT:

1:1 NAT overrides any outbound NAT

All traffic originating from that private IPv4 address going to the Internet will be mapped by 1:1 NAT to the public IPv4 address defined in the entry, overriding the Outbound NAT configuration

@skilledinept said in Disguising a device behind 1:1 NAT:

I'd like to disguise HOST's real IP address from the rest of the network downstream

For what purpose? Just at a loss to why anyone would want to do this?

I just looked in the games forum seems this is raised alot. Might read through the threads in there as seems some have it working on the Xbox thread so may work with mine. The game is modern warfare and the game I play is cold war but all the ports are the same so should be the same outcome. Now to find time and dust off my router lol

@jfre9193 I believe that is related to this:

https://redmine.pfsense.org/issues/11805

@KOM No, the default rule should be fine.

@averagecdn I don't think you can do it like that in an asymmetric routing situation. You forward from the device that controls the server's traffic.

@acnic
The failure of that bug is that pfSense is sending reply packets ever to the default gateway. So if you're on CE 2.5.1 and the DSL modem is not the default gateway, you will be affected.

but if i connect to the LAN of the DSL modem and try i.e 192.168.2.2:80 it works as it should

When you're in the DSL modems LAN and access pfSense, replies have not to be directed to a gateway.
This also means, that you can do a workaround by masquerading incoming packets on the DLS router if it is capable of this function.

Nobody has any suggestion?

@testcb00 said in Two public IP (A/B), one DHCP, how to make specific internal IP use IP B?:

Will it brake the network? or it is normal to make outbound like this, and make new outbound to overwrite for specific Hosts?

No it shouldn't. Your new rules only apply to that one client. Everything else goes out the default WAN as per usual. Test it and see if there are problems.

simple solution would to just be a source nat.

Outbound nat on your iot interface that nats traffic to your pfsense iot interface IP.

Now this devices thinks any traffic be it coming from an openvpn connection, or even your lan thinks its coming from pfsense iot IP which is in your iot network.

@SteveITS Hi Steve, I followed your advice, reset all the rules and following the following link, redid the rules, All working! thanks to the availability!

https://www.3cx.com/docs/pfsense-firewall/

@kom
It's gone from clipboard and logs now. I removed it initially to not expose public ip.

The real question is what I did to make it work because I was using port 5761 until just recently reverted back to port 5760.

How would 10.41.1.1 ever see your public IP as source? Other than the IP to create the vpn tunnel. Traffic inside the tunnel would look likes its coming from whatever pfsense gets for its tunnel IP after creating the vpn.

For you to use your downstream network like that - would have to be setup. the network on the other side of the vpn would have to know to route traffic down the tunnel to get to your 10.36.45 network..

So your natting on pfsense to this 172.21.36.2 address now? If you don't you have the ubnt setup to route this traffic via your transit?

@gswhite
Oh yeah, now I see what your issue is! I didn't realize, that the 'WAN address' alias can not be used in NAT 1:1.

You will have to go with normal port forwarding. There you can select 'WAN address' from the destination droptown, which works with the dynamic IP.

The outbound NAT is set anyway correctly to the single WAN address.

@j-sejo1 If I have to pay , I'm going Untangle all in. I got also the Sophos option but is not my favorite currently.
But indeed I can't run service in a playground environment. Production or home stuff. I need less features but reliability from a firewall ,

@gertjan
thanks for responding gertjan..

I do basic troubleshooting the problem is whenever I try to download a files its stop downloading every 1min.

sample.PNG

@johnpoz said in Port forwarding not working:

Same thing happened when I got new car - radio channels not setup like I like them, my seat was in the perfect position before. Had to redo all that stuff - wtf! ;)

🤣

I've spent a couple of days figuring out a solution of my problem.
I hope that this post will spare someone else many hours of frustration. ;)

By changing the Tomcat (ver 9.0.31) server.xml settings so that the <Connector> used by my HTTPS-server uses...

protocol="org.apache.coyote.http11.Http11Nio2Protocol"

and not...

protocol="org.apache.coyote.http11.Http11NioProtocol"

... the POST of files using HTTPS (I'm using "Let's Encrypt") works perfectly!

(It seems to work with any NAT reflection combinations as well.)

@bingo600 said in DMZ - 1:1 NAT , and also "Hybrid":

Aliases/VIP*s should not be in TFW IMHO.

They aren't. Not Aliases. But VIPs are ON THIS firewall, so it fits the description and the docs to the letter. All IPs that are on interfaces on that firewall. So that matches.

In fact an Alias belongs to TFW ... I had just hoped with an 1:1 Nat on it it would not ...

It still does but if you have defined a BiNAT entry, then the IP gets rewritten FIRST and thus no longer matches "this firewall" as the packet now is destined for the internal IP and has to match it. But it's way too easy to make errors that way so just define the IP you want to match (either by WAN address or by selecting the VIP you want) and use that in NAT/Rules so you're safer that way :)

Also move the WebUI port away from 443 and disable the auto redirect for it, that safes many headaches! We recommend using 4443 and explicitly blocking that on WAN-style interfaces can help avoid the "oopsie" of presenting your webUI to the world :) The rule is just a bonus though as you don't commonly have 4443/tcp allowed inbound anyways.

@fireodo thanks for the info.

@johnpoz thanks for the response. Just setting up like a had before using a pfsense. Using a VPN sounds like the way to go.

Using the NAT reflection did solve the issue in the meanwhile. Cheers.

Didnt upgrade yet since the initial feedback was very buggy...

@viragomann Understood, Thank you so much for the info.

What could possible have changed in an update that every other port forward works, other than plex? And if there was - why is mine working? I would think if there was something the boards would be a flame with users complaining.. There are a lot of pfsense/plex users.

So something sure is going on with the OP setup, but what that is impossible to figure out without some basic validation of what is going on.

What is more likely.. Something else changed.. There is a know issue if you have multiple wans, which I do not.. But that would effect all port forwards, etc.

Maybe he is using pfblocker and getting new rules for geoip blocking the IPs that plex uses to check.. Those ips can change.. I have a specific list in pfblocker that updates those for example.

https://s3-eu-west-1.amazonaws.com/plex-sidekiq-servers-list/sidekiqIPs.txt

Maybe during the update his public IP changed, or maybe plex is reporting the wrong public IP, etc.. There are lots of pieces to the puzzle for sure. Finding the missing piece is not possible without some actual info..

Maybe his plex is on a new local IP, and he is forwarding to the wrong IP? etc. etc..

@konikv
You're probaly looking for that: NAT with IPsec Phase 2 Networks

@operator2024 Hi
I have same situation, no matter what I do I can't get a second phase 2 to come up when it uses a subnet that doesn't directly exist on a local interface.
could you please tell me what exactly you did so i can compare with my conf

in my case i have
Palo Alto --- IPsec ---- Pfsense --- IPsec --- AWS

Pfsense --- IPsec ---- Pfsense --- IPsec --- AWS

both don't work
could you please help

@viragomann This was the solution. Thank you so much!

@slu Yes dude, tks

@saeed WELCOME Pfsense CE

I use Pfsense since 2.2.X

This type of failure in the essence of a firewall, did not occur. = (

@ralf-0
Firewall > NAT > Outbound > Disable Outbound NAT rule generation

SOLVED

Thanks for your help, by reading and thinking you helped me find the solution.

I found the fail!
It was done by myself.

I made a new NAT rule 3 weeks ago, in that rule i included port 8282 on block. I tuned the NAT rule, removed 8282 block, viola, all ports that I need to be open is now open:

5da1e541-e972-48d2-98b4-b221fb776202-image.png