Yeah! Magic or not, it worked immediately!! :)

I'm super grateful for your quick help, Derelict!

What VM software you running on - there is some stickies on having to do some settings on some of them..

To map whole subnets should be possible in pfSense outbound NAT.
You can add a rule for a source subnet and at Translation select "Other subnet" from the bottom of the dropdown and enter your public subnet below.
Maybe you also need to select "Bitmask" from the pool options.

If you need special mappings defined in a translation table, there will also be a way to script it.
Go to Diagnostics > Backup & Restore, select NAT at "backup area" and download the XML file. Open the file in a text editor and take a look at the rules to get an idea how they are constructed.
This way you may build up your additional rules and insert them in the XML in the <outbound>section and import the file after in Diagnostics > Backup & Restore.</outbound>

Did you find a fix?

Tim

I have an identical setup apart from WAN2 is a dynamic IP. If you wanted to ensure at least one route IN to your network, you would (I presume) need to use some form of load-balancing outside of your network (i.e. on the internet) or a DNS provider who will try IP's in a round-robin method if one of them is down. There is nothing you can do inside of your network as if WAN1 is down, pfSense has no control of traffic coming from the outside to it.

If you mean NATting internal to external, if you add both the gateways to a gateway group, the default behaviour is to load-balance outgoing traffic, so the internet will see traffic coming from two different IP's - this is how I have my system set up - it works fine mostly (i.e. I effectively doubled my download speeds when using multithreaded download clients) BUT it can wreak havoc if a website (such as an online bank) has security measures in place which detect a change in IP address. To get around this, I am "whitelisting" certain sites which I know don't like the multi WAN setup and using a firewall alias to tunnel that traffic over WAN1 (my primary connection if you will).

@Nullity:

Yeah, I think a fresh start is a good idea. You never know what settings you may have changed while newbishly clicking random things (I've done this many times myself… dangerous).

Ok I will try this out and see what happens.

I have a 60GB SSD coming in so this is all some what of practice and somewhat of try, fail, try, fail…
Hopefully it becomes a success.
Alternatively I will end up buying solely a cable modem, even though i literally just bought this modem/WAP.
We'll see!

Ill update you guys. I really appreciate the help!

Thanks for the information! It seems that at least some of the ports are opened. :) Obviosly some of the ports opened right after client's restart so it might have been up to that. Let's see how will this work in the future.

I had a similar issue, and found this post helpful:

https://forum.pfsense.org/index.php?topic=74241.0

Needed to add a LAN->LAN rule with default gateway set (not the MultiWAN that got changes in the default lan to any rule)

" clients get the public ip's from the vpn-provider."

The client is doing no such thing!!!  pfsense gets an IP from your vpn..

So your vpn interface on pfsense if its sees traffic to 64603 it forwards it to your pflex server 192.168.1.8..

Here is the thing how does does rebooting your plex server have anything to do with that??  Nothing!! It has NOTHING to do with that.. You could reboot every device on your network and does not matter.  You set pfsense to forward traffic it sees on this interfaces IP on this port to this 192.168.1.8.. Doesn't matter if plex server is running or not.. As long as pfsense can arp for the mac of 192.168.1.8 it would send the traffic there.

So what I would suggest is you figure out why when plex restarts your having whatever problem it is you think your having.. Again.. How are you trying to access plex server - from where??  Why don't you go to can you seeme.org and generate traffic to your IP that you have on your vpn interface.. To the port 64603.. Do you see this traffic at pfsense?  Sniff - does pfsense send it on to 192.168.1.8??

You got failovers on your multiple wan options, you have an overlap in your manual outbound nat.. So which one is getting used the /24 or the /26 etc. etc.. Since that would be an overlap for your 1.8 address..

Alright, looking at the IP of the Port Checker was the right call because it showed that the traffic on 10.0.0.51 was using the OpenVPN interface on the PFsense router. It should not have been doing that though. Maybe it's paranoid?

In all seriousness thank you for the help!

In VM NAT reflection, on real network Split DNS.

Leo

@doktornotor:

Yeah, DMZ won't normally DMZ the webGUI port, otherwise you'd just get cut off. Bridge the DSL modem. Does not help? Check the ISP about 80/443 blocking.

I feel really silly right now. I logged into the internet router (192.168.1.1) and noticed that port 443 was still configured for the servers old address prior to being moved to the pfsense network. I have removed the NAT config and left DMZ configured and everything works now.

@KOM:

do you mean I need both NAT and rules ?
I mean when you create a NAT it create automatically a rule on the WAN side?

Yes.  Normally the associated firewall rule is automatically created unless you tell it not to.

When your "WAN side is 192.168.100.20", obviously no forwarding will be possible without configuring the "upstream" router first.

He mentioned LAN-side on the Cisco so I'm assuming he's trying to access from 192.168.110.x.  Can you clarify, Jamerson?  Which network are you trying to come in from?

thank you so much guys,
had to reboot the PFSENSE and stuff start working.
probably after creating the NAT rule some hangs , the reboot fix it.

much appreciate it your support

Hello,

i tried a lot configuration. But i think i made a mistake. None of your suggestions can bring the goal.
So i tried to paint a picture from my network.
i can resolve the DNS name sip.htp-ngn.de on my pfsense. But an other PC can't do that.
The pfsense got an IP-Address over the WAN interface. This interfaces will be the default Gateway.
The network interface OPT1 is an VLAN with ID 10 and is re0. From this interfaces i got per DHCP
the configuration for VoIP (IP-Address and DNS-Servers).

20170109_Netzwerk_übersicht.png
20170109_Netzwerk_übersicht.png_thumb
20170109_Netzwerkkarte_LAN.png
20170109_Netzwerkkarte_LAN.png_thumb
20170109_Netzwerkkarte_OPT1.png
20170109_Netzwerkkarte_OPT1.png_thumb
20170109_Netzwerkkarte_WAN.png
20170109_Netzwerkkarte_WAN.png_thumb

Firewall > NAT, Outbound tab. Switch to Hybrid mode, then Save.

Make a custom rule, check "Do not nat" and then match the source network you want to leave without NAT.

Where did you get the idea that ftps is any different than ftp for pfsense and no proxy?  ftps does not normally use 21, it normally uses 990..  Did you forward 990?

The point is that ftps wouldn't work even with the proxy/helper because pfsense can not see the control channel to even forward the data ports for you - so when using ftps you would always have to manually configure the correct ports when using passive.

Hi,
please can everyone help?

Best regards
Alex

Really. what is the point here? Just block the traffic if you don't want to let it out. Stop mucking with NAT and breaking everything else. The keyword here is ANY, not WAN net. Block 80/443 from LAN to ANY (or, NOT your proxy). No need to ever touch hybrid and god knows what other outbound NATs.