@Gilera Buying more IP’s is not an option for me. I agree though, I do not understand how a cheap supplied WiFi router can give you open NAT on both boxes and play online no issues. I did notice the second Xbox trying repeatedly to open port apon port trying to connect to COD serves when pfsense was configured to give both boxes Open NAT. Almost seems like pfsense is not keeping track of the ports and the traffic is not getting thru for the second one. Also the supplied WiFi router from charter seemed like it was a static port hybrid, where it would static port if it was able to, but then change the destination port if it could not. In the end, I went with one Xbox open nat( the wife’s) and one strict nat(mine). The only thing I changed was making mine non static port in the NAT rules. I can still play games this way but not sure why. It plays like it’s open, but it’s reporting as strict.

@nozz Thanks for your time with this. The same way, work's but enable communication with DMZ IP and Internal IP too. I work this with ASA and Checkpoint, and do it. Oscar.

Sorry my mistake. I solved it by myself. Forgot to activate that i can see traffic that passed the firewall. I only saw traffic that got blocked.

Lets us know how it turns out.. have to assume your forwarding the port to something else that is answering.. If just an router and not natting then there shouldn't be any forwards on it.. If its also firewalling - then should just be firewall rules allowing to stuff behind hit.. You sure its not natting? And just routing.

@Crunk_Bass Thank you so much. I will do the way you guided me and will inform you the result. Lokesh Kamath

Thank you very much .. will try it out and get back to you .. i did not configure the baracuda side.. but i will make the changes on my side (site A)

The only time you would ever use nat reflection is as a work around for a horrible app that has your wan IP hard coded in it sort of thing.. Even then it should only be a temp work around until you can slap some sense into who ever created the app ;) As long as the app uses dns to find the dest, you can always just have that dns point to whatever IP you want.

This is easy. First you'll have to make sure you turn off auto-rule generation (if you haven't already), because it'll use all available ports, and you can't edit the auto-generated rule. Then create a rule that allows outbound NAT, and in the "Port or Range" box (with the description 'Enter the external source Port or Range used for remapping the original source port on connections matching the rule.') put in 6000:7000

Prob put a wrong mask on the server.. If the server is on the same L2 as all the other devices that pfsense can ping.. Then its issue on the server.. Validate your setting.. Simple test is just set the server to dhcp - does that work? If so - double check what you did wrong with the static settings. Or maybe you can not ping the pfsense because of firewall on the server? Without exact details it is impossible to help with what is the issue. Can the server ping pfsense, and other devices on the network?

face palm That actually makes more sense Also the any source was for testing from 4G, that’s a mistake you only make once... I use VPN for most things except at work, it breaks to many things when I leave the work laptop at home But thank you for the assistance :)

Port Forwards translate the destination address, etc. Outbound NAT translates the source address, etc. Make an outbound NAT rule for source any destination 192.168.10.254 port 80 with a NAT address of the pfSense interface address (192.168.10.252) on the 192.168.10.0/24 interface.

Works as expected, thanks so much!

There's a policy routing rule needed if you want to route out traffic to multiple WANs: https://docs.netgate.com/pfsense/en/latest/routing/directing-traffic-with-policy-routing.html That's a firewall rule with a gateway option. You have to add it to the interface which is facing to the 172.31.98.0/23 subnet.

Set up a 1:1 NAT in Firewall > Rules, 1:1 for WAN address to the inside host. Place a rule on WAN that passes all traffic to the inside host address.

@camay123 said in Redirect anything Port 25 to port 3333 on lan: but I am just unsure of how to accomplish this, and makes all the settings needed. Create a vlan, or plug in a different dumb switch to another interface on pfsense. Put your box there on say 192.168.34/24 BTW, netcat test is not how the OS and application would work.. Do you not see the security problem with your setup? If that worked I could send traffic to any machine.. All I would have to do is hit a port that is currently being used in a conversation.. To trick/hide from the client that its not talking to 1.2.3.4 out of the public... You need to make sure where you redirect the traffic do doesn't answer from its own IP.. So simple way to do that is just put it on a different network then your client.

as a reference, in firewall / Rules / WAN / my connection 9091 when it stopped it had more than 2000 "state creations", and only the other routing rules had less, they continued to operate. Could it be that this part of NAT is covered? or does it require other walls?