Best way to do is to add the VLAN to the remote OpenVPN settings to add the route, but if I understand you correctly, that's not an option for you.
So yes, you can go with masquerading. Rules can be added on the outbound NAT tab.
If the outbound NAT is still working in automatic mode switch to hybrid first and press save.
Then add a new rule with settings like these:
interface: <the VPN interface>
source: select 'network' and enter the alias you've set for the permitted clients
destination: <the remote LAN>
translation: interface address
This presumes that the tunnel subnet is routed to the VPN endpoint on the remote site (that it's the default gateway). Otherwise you may use any unused IP out of the LAN subnet.
Also ensure that there is a firewall rule in place on the VLAN which allows the traffic to the remote LAN.
Like I said if the health check that its doing doesn't work for whatever reason - it thinks the backend is down, then yeah you get a 503..
I never went into looking any deeper to why say the http check doesn't work for ombi service for example.. Because I only have 1 server, there is little need to actually know if its up or not for loadsharing, etc.
I think the OP asked for specifically an "allow list" at firewall level additionnaly to the win SFTP server whitelist.
Then it means to me he want to know how best to make an alias in pfSense with multiple IP that are already whitelisted SFTP side.
@Smoothrunnings If you want/can do it manually, you set up an alias with CIDR adresses as you want (either /32, or whateever mask you need, sometimes a whole subnet is preferable, sometimes not depending on your case).
Or if you want to automate it, you can use URL aliases (URL link to an automated generated text file with all IP/CIDR in it, generated by SFP server or something and made accessible trough a internal/minimal web server for exemple)
You can check here the full doc as they are more possibilities : https://docs.netgate.com/pfsense/en/latest/firewall/aliases.html
And when your Aliases are ready, you just need to specify them in "Source address" for your port forward rules to the SFTP server.
@gertjan Thank you very much. The Host Override done the job. I also find that I might have wrong DNS resolver settings: I choose both the "Network Interfaces" and "Outgoing Network Interfaces" to all.
However, I do not understand why I cannot use Scenario 3 to access the website. The "Host override" option in DNS resolver override the IP address of the public IP to the webserver local IP, making it to Scenario 2.
This resolved the issue but I don't know if this is a safe method. Can someone explain what risks or vulnerabilities I have opened by enabling this? I also have Pure NAT enabled.
Well, a NAT rules on pfSense is a NAT rule as on every e*@!#& router on earth. pfSense doesn't change or add anything to that.
The good thing about pfSense that it has an good manual about natting. It won't learn you what NAT is, it tells you how to do it.
You need to know if your 'device' (tv decoder) needs to have port(s) to be opened. What's in the manual of that tv box ?? What does the ISP say ? Or the company from the box ?
Something very (highly !!) unusual these days : opening ports for a tv thing..
It's the box that gets the information from it's 'TV' servers, these servers are not pushing traffic to your box.
Basically, you have to open ports when you start to host something that needs to be accessible from the Internet, or parts from it.
On the other hand, I do have a TV box that actually only works with my 'ISP' router.
Becauset hat stupid thing uses a special VLAN configuration and g*d knows what other strange configurations. So, fine to me : behind my ISP router I have 2 devices : this TV box and pfSense.
@johnpoz Ah, I didn't mean to include the word 'Reflection' there - I was meaning the idea of keeping the traffic internal in that statement (which shows I needed to beef up my understanding a bit more!). After doing some more research, I tend to agree that reflection is perhaps not the best idea.
Something for me to think a bit more about. Thanks for the input as well @AndyRH - it has helped to direct my research 😊
@johnpoz exactly i can access my services either using their local lan ip or using ddns (nat reflection) when using nat+proxy but not when using pure nat. i have read that pure nat is better than nat+proxy and i would also need it once netgate fix this issue: (https://redmine.pfsense.org/issues/7727) and those are the two reason why i need and want to use pure nat.
That's a limitation in miniupnpd itself, as far as I'm aware they haven't added a way to disable that check. They added some related things to help pf use specific addresses to work around it, but it still won't let you use a private address directly on the WAN.
Need to raise the issue again with miniupnp and see if they will add a daemon or config file option to disable that check.
Unfortunately, all the NAT issue came back again. HAProxy does not respond to HTTPS port from outside the LAN network, and Xbox NAT status changed to closed again even though both using the same port forwarding settings that I had in the previous version 2.4.5p1.
I have reloaded v.2.4.5p1 again with the same port forwarding setting, and everything started working again. Xbox NAT status is Open, and HAProxy correctly working from WAN.
We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.
Subscribe to our Newsletter
Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.