• Can someone help me understand pf states (tcp.first, etc.)?

    1
    0 Votes
    1 Posts
    171 Views
    No one has replied
  • Source NAT and port forwarding

    15
    0 Votes
    15 Posts
    1k Views
    T

    @johnpoz I understand the logic now.
    I've added the rule yet, and it works as expected now.
    23f9e7e3-9409-40cb-a081-1a46957a3096-image.png
    Thanks a lot for your help and patience!

  • Help with NAT port forward

    3
    0 Votes
    3 Posts
    262 Views
    Z

    Hi Viragomann,

    so full disclosure, I installed acme and have a cert then I changed the port on pfsense under Advanced => TCP port then went to dns resolver and used the acme cert for dns records and added the dns name to the IP to resolve the ip to dns name now when I type in the IP or dns it adds the port at the back so trying to remove that port number so it just shows the dns, I have haproxy working work with truenas scale and also a dns record to resolve the IP but this too adds the port number at the end, is there a way I can use the dns without the port number? setting in haproxy maybe? to redirect etc?

  • Need outbound NAT help

    10
    0 Votes
    10 Posts
    1k Views
    S

    @andrew_cb Disabled monitoring, no effect on not passing traffic through NAT.

  • Help with UPnP Setup - Cannot Achieve Open NAT Status in Games

    9
    0 Votes
    9 Posts
    2k Views
    G

    @ngr2001 Yes 2 PC's 2 different ports...

    Being COD picked 3191 for external, wouldn't one need to increase their port scope range to what you have listed above?

    You shouldn't have to... But I'd go ahead and start testing, that's the only way to know for sure. I think if you limit it to 3074-3076 in your ACL, you would see 3074 and one of the other being used instead...
    You could even try and set one of them to 3074 and the other 3075 only, and see what happens...

  • Port Forward is Ignored

    8
    0 Votes
    8 Posts
    690 Views
    johnpozJ

    @SteveITS said in Port Forward is Ignored:

    There is also the “don’t block the world, allow your country” discussion which takes much less memory.

    ^Exactly - I use this method.. I only want US ips and currently Belgium (family living there using my plex) - so I just allow those in my port forwards and wan rules.. This by its very nature blocks all the other ones.. No reason to load up into the tables of bad countries IP of them, all need to load is the IPs that are US and Belgium.

  • NAT not forwarding reply packets

    4
    0 Votes
    4 Posts
    305 Views
  • System behind pfsense has very slow network troughput

    1
    0 Votes
    1 Posts
    203 Views
    No one has replied
  • 0 Votes
    2 Posts
    265 Views
    V

    @CubedRoot
    1:1 NAT of multiple IPs to a single backend IP cannot work at all.
    1:1 means, that packets addressed to the external IP are forwarded to the internal IP AND outbound traffic from the internal IP is natted to the stated external IP.
    While the first part might be possible, the second cannot be done. Which external IP should be used for outbound traffic of the single internal? The first, the second, both alternating?

    You should rather configure port forwarding rules for both external IP.

    If you also want to use these IPs for outbound traffic from the server set up an outbound NAT rule for it.
    You can translate it to one of them or to both alternating by adding both to an alias and use it as translation address in round-robin mode.

  • php script to add NAT rule is taking forever to apply

    6
    0 Votes
    6 Posts
    1k Views
    A

    @Gertjan thx for the explanation.
    As the problem seems to be related to the php interpreter memory pool and the computer i'm testing on (2sockets - 2 cores of a i7-6700 with 6G of ram) seems pretty weak for the use case i'm trying to to implement.
    I'm gonna try to see if a can do some test on the server the app will be deploy on.

    For the firewall related rule, i meant an option in the php script as the goal is to aumotate all the LXC handling process.
    It works in "pass" mode but i guess it would be better with a firewall rule ?

    I will give a feedback after some tesing (if they let me play with the big toys :p )

  • [solved] Portforward on LAN (Teamspeak) doesn't work anymore

    5
    0 Votes
    5 Posts
    412 Views
    G

    @Bob-Dig Hmm, did you try to only reboot the TS VM? How did you set up network for the VM? Firewall on or off, any extra bridging or VLAN? I have had TeamSpeak running for years without one single problem. But even so, I run two servers on separate machines and use keepalived to manage the master/backup setting...

    I see now that the other ports are optional, and it's only 9987 required for voice. And it's likely the same port for the chat function so I guess it's time to close the other two...

  • Should Port Forwards work with Interface Groups?

    12
    0 Votes
    12 Posts
    687 Views
    Bob.DigB

    @marcg said in Should Port Forwards work with Interface Groups?:

    default NAT reflection policy?

    Disabled.

  • NAT AT&T Fiber

    12
    0 Votes
    12 Posts
    2k Views
    S

    @marcg Good info. That makes sense then. It's essentially a DMZ passing through the external IP. Still not sure how both the att router and my pfSense passthrough can have the same IP but I'll chalk it up to magic.

    In any case, I have it working great now. I can reach my iLO gui if for whatever reason the pfsense goes down, I can reboot or reconfigure it to get everything back up remotely.

  • "Floating" NAT rules?

    11
    0 Votes
    11 Posts
    900 Views
    johnpozJ

    @marcg I agree manipulation of any dns should be opt in for sure.. If I want you to filter stuff, or help with my typo's etc.. I would point to the IP specifically that you offer those services up on.

    If you offer such service, I should be able to point to any other dns I wan't and your not going to mess with the traffic - shouldn't have to opt-out if not pointing to your dns that is for damn sure.

    Default opt-in is rarely a good thing for anything.. No matter what services they are providing - the user should have to opt-in in some way if you ask me.

    One of the pet peeves I have with doh - many of these browsers like to turn it on by default, which is not the way to go about it.. If its so good inform the users and they will enable it if they want too. If you turn it on by default - tells me its not so good of a thing.. Seems like to me your trying to sneak it in under the radar.

  • Tailscale no longer allowing Outbound NAT

    5
    0 Votes
    5 Posts
    449 Views
    Z

    I resolved the issue but factory resetting the Netgate device and restoring the config.

  • Is my ISP blocking port forwarding?

    8
    0 Votes
    8 Posts
    553 Views
    F

    Figured it out!!

    It was a docker container problem. Docker container was set to use ipvlan, so changed to macvlan.

    And changed host access to custom networks to enabled.

    Now I can post from my docker container.

    Ok.. now trying to figure out how to access emby from wan.

  • Bug outbound nat after upgrade in 24.11

    3
    0 Votes
    3 Posts
    360 Views
    M

    @Bob-Dig said in Bug outbound nat after upgrade in 24.11:

    While I have encountered problems with the implementation in CE, I don't see those in Plus.

    Maybe check or delete and recreate the aliases, they can make problems too.

    Reply

    thanks for the blog page
    After reset/kill all state, the outbound nat is ok, after reboot, also ok

  • 2100, telstra and tplink vr2800 in Australia

    2
    0 Votes
    2 Posts
    214 Views
    G

    @idgeng said in 2100, telstra and tplink vr2800 in Australia:

    TPLInk VR 2800 modem in bridged mode

    It might be so that Telstra expects the MAC address of the TPLink device? And when you connect in bridge mode, it get's the MAC of pfsense instead.
    Solution would be to spoof the MAC in pfsense... Go to Interfaces > WAN and enter the TPLink MAC address in this field, and click save:

    80f63931-91b8-4d12-8c8b-c4b6b387fd9d-image.png

  • Static ports, is it safe?

    11
    0 Votes
    11 Posts
    620 Views
    G

    @Antibiotic Really? And how would any of those two things be related to your outgoing ports?

  • 1 Votes
    16 Posts
    2k Views
    S

    @johnpoz / @viragomann / @Gblenn Thanks for all your help. I set it up that way and it was much easier, worked right away. I appreciate the time you spent helping me out on this :)

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.