NP..

As already mentioned - you could create a reservation for this server.  Or just set your pool to leave some IPs on either end or both ends of the segment for static assignment.  For example if using a /24.. set your pool .10 to .250 this leaves you IPs on both ends for static use.

192.168.1.235.61414 > 93.123.118.235.8989

Looks like your testing from inside your lan trying to hit your public IP to get reflected back in.. Nat reflection, that has nothing to do with normal port forwarding.  Did you enable nat reflection?

If your box on 192.168.1.235 wants to talk to 192.168.1.28, why would it send traffic to 93.x.x.x?  I would have to assume both of those devices are on the same /24 ie 192.168.1 so why would you not just talk to the .235 direct.

Seems Photobucket is having issues. Attached my network diagram here.

I've also tested a 1:1 with the attached settings:

Interface: VPN
External Subnet (one I'm spoofing)
Internal IP: 192.168.1.0/24 (in the picture it is 172.16.1.33, but that is my test environment).
Destination IP: *** EDIT ***I left this blank in this case, but I've since changed it to be just the source subnet I want to NAT.

What happens in this case is the client can ping the spoof address of 172.16.2.1, but the response claims to be 172.16.2.33.

HOWEVER, if I ping a different IP that isn't the default gateway, it returns with the right response.

In short:

I've solved my problem with a really simple 1:1 NAT (guess I should've tried it before asking).

Hopefully anyone needing this can find it.


@chpalmer:

What version of pfSense are you running?

Physical interfaces for both WAN's?  Or VLAN's??

Need more info!

Sorry/
Its ver. 2.3.3-DEVELOPMENT
However it has acted the same way on previous versions.
Thanks!
-Brian

So are you clients trying to go to 40.40.1.12??  While the box is right next to them on 192.168??  What is the point???  Just setup a host override to point test.com to your 192.168 address that it is being hosted on.

Well, it certainly doesn't hang anything. If you do this over VPN, well then that's a bad idea. If you want something less intrusive, use filter_configure_sync().

Not a fan of similar craptastic hacks like messing with something from CLI that's not supposed to be used from CLI at all.

OK… I got my script working. Turns out it wasn't the command that pulls the port from PIA that was causing my issue. It was the line where the CLIENTID is generated. It seems just adding the pipe the removes " -" made the difference. Not sure why but it doesn't matter. It's all happy now.

CLIENTID=head -n 100 /dev/urandom | md5 -r | tr -d " -"

However, I am having the same issue now that Elegant and qwertytheking are having with regards to a port change not applying at least right away. Like qwertytheking mentioned, if you access the port alias and save/apply it, it opens that port but until then, it's still closed.

Is there a command or something that saves/applies these changes through CLI that I can add to my script?

I've just test it.

If you change your Client ID, each client ID gets its own Port. So you can have lots of ports.

@Nullity:

I wonder why tcp.first & tcp.open made an impact since I assume tcp.established should be the only relavent parameter.

I'm too curious to leave it alone but I guess if it works, it works.

Why did you change state tracking to sloppy (or none?)?

ive switched it back to sloppy for the moment, if it still works set back to normal then i will move it there permanently, i set it that way in troubleshooting tho.

Thanks - just found the bug having established the connection! https://redmine.pfsense.org/issues/4326

That explains why it broke after the upgrade from 2.1.5 :-(.

@devert:

Im running pfsense 2.3.2 on a Watchguard Firebox x750e.

Sounds like it could be driver or hardware related, but likely work-around-able if you can figure out why its going for a loop.  Ive personally had very bad experiences on every piece of watchguard hardware ive ever had the misfortune of using, but thats mostly with their rom still on it, only twice with one that was pfsense loaded.(550e's not 750s)

i know its a stab in the dark, but if you have it enabled, try disabling any of the offloading options.  I would lean towards it being directly related to the nic itself, or the driver in use.