@viragomann
Thanks for the tip. I tried this method on eve ng it was working fine. Unfortunatelly i dont have access to the other device and they are not cooperative at all, so i have to use only this pfsense for this. I belive that the other device is a virtualized juniper, i think it can handle multiple ph2 entries but they are not willing to change their configuration.

Thanks for the information!

@o12eMaRkAbLeo glad you got it sorted.. It was an odd one.. I did you had pfblocker there with auto rules. But figured you would of seen an error from before when I asked you to watch the reload.

@TrashCo92

EDIT: Solved the Problem, reinstalled my pfsense and restore my config-file, now it works as expected... ✌

@macaruchi The last rule there is the linked rule ("NAT jce").

The circled rule allows your pfSense WAN subnet to access LAN. Though it probably wouldn't actually function unless something on that network was routing packets intended for your LAN subnet to your pfSense WAN IP.

You've allowed * to access "WAN2_CENSOL address" meaning anything can access pfSense on ports 22/80/443/other. Since that includes 8443 I don't think it will also forward 8443 on via the NAT rule. Note that rule has 27.3 MB of traffic.

I'll ask my ISP can he open these ports.
Thank you @viragomann and @johnpoz for help.

@frog you linked rule shows traffic/states, the numbers on the left.

Did you look at
https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat-port-forwards.html
And the VOIP pages at
https://docs.netgate.com/pfsense/en/latest/recipes/index.html#firewall-nat

I assume this is for a business as a residential isp blocks port 25

@viragomann I was thinking that was like the Netscreen devices and didn't think it would matter for us as a small company. We don't need to apply website access rules according to local IP either.

That said, having just checked the Apache logs for one website it is showing the correct client IP for both LAN-based and WAN-based browsers.

Thanks again,

David

I confirm it works when i set 195.80.241.81/32 in NAT/BINAT. Thank you.

@greatrocket
IPSec seems not to be the best choice to realize this. However, yes, you should be able NAT (masquerade) the traffic to get the forwarding work, which means, you loose information about the origin source IP. But I would do this on the internal interface of the other sites router.

If you want to do it on pfSense, you will have to configure this in the IPSec phase 2. But not sure if this will work without if you do the settings only on one site. But you can try.
Assuming you habe a policy based phase 2 already to connect the both local networks.
A "Local Network" enter 0.0.0.0/0, at "NAT/BINAT translation" state an unused address out of the LAN. At "Remote Network" enter 192.168.1.100.
Move this p 2 up to the top.

@tompark
Outbound NAT masquerades outgoing traffic with the stated translation IP. This is needed for outbound traffic on the concerned interface, but it does nothing else, not routing at all.

To route traffic from certain sources out to a non-default gateway, you have to add policy routing rules to the respective interface where the traffic is coming in.

I seem to be having the literal same issue.

VPN works from the desired VM. Outbound packets work properly, but it seems inbound packets are not being properly routed back through AIRVPN_WAN.

Can anyone provide a more detailed solution?

I don't have no any/any rules, only a single rule (created automatically by nat) in the AIRVPN_WAN that allows any tcp/udp to the VM with the port I want exposed.

@dsegui said in NAT overhead:

) it didn't bother me so much that my throughput was just over 1/3 of that rating

So you have been getting low throughput for a long time then? If was paying for 400, and only getting like 100 something I would be complaining or digging into why that is for sure.

90%, ok during prime time 80% of what I pay for - but 30% yeah I would be digging into why that was for damn sure..

But a 3100 should be able to do 900s - i think there is a lawrence teardown and review when it first came out showing benchmarks in the 900s..

If your seeing 150ish - yeah got something wrong that is for sure.. You could take your isp out of the equation for sure.. Put something on your pfsense wan running iperf, and then from a client on the wan do a benchmark - this would be doing nat, etc.

@pdwalkerhk said in NAT Reflection on a multiwan system - need help debugging my problem getting it to work.:

is there any way to debug why the traffic from the local lan to the public ip of the port forwarded ports is not going through?

Sniff the traffic with the packet capture tool on the LAN.

does that reflection firewall rule look correct for my situation?

I would expect it to work.

the default route for the LAN traffic is a gateway group composed of the 4 lan connections. Could this be causing a problem, preventing the nat reflection from working?

You may mean an interface group. This is not a problem, however, ensure that a rule on LAN allows the traffic from LAN IP to LAN destination IP.
The rule must not be a policy routing rule (gateway (group) stated)!

could I use the / Diagnostics / Packet Capture / somehow to find out what is or is not happening?

Yes. You should see packets from the source IP to the public going to pfSense and packets leaving with source = LAN IP and local destination IP.

What do you mean by "stops updating"?

Nothing changes on the screen or does it fail to load?

As far as I can see from here with local testing, UPnP is working OK and the status page is also working.

@viragomann

The rule works perfectly. The problem is that it automatically deletes itself...

Do you have an idea if there is any management like autorule creation / delete.

regards
ron

I am stupid.
The Port Forward rule was wrong.
It should be 192.168.66.0/24 network, but I selected single host and give the ip address as 192.168.66.0. 😅

Thanks @viragomann and @SteveITS !