Well, whatever. The real point is "it's not pfSense."

And how come this related to Nginx if before everything worked perfectly. I just changed routers…This is definitely pfSense setup problem.

Glad you found it.

So you setup vip on one of your other IPs in your /29 and setup the vip on that and setup the outbound nat for that box your doing 1:1 nat to to use that vip?

If you are going to do port forwarding with your other IPs, you want to make sure that your answering are going back via the correct IP, etc.  If I recall pfsense will auto do it correctly - but if your having issues you need to verify..

So you created all of the vips for your IPs in the /29 ??

And do you have issues when you turn off proxy?

thanks replying.

i will be looking into it,

if you care enough, it would save a lot of time by appending this to the docs.

thanks in advance.

@johnpoz:

"The 10.7.3.0 is not a VLAN. It is, as you said, layer 3 over the same layer 2."

That is BROKEN setup - fix it, make it a vlan or change your mask to be /23 to cover your 2 /24 your running.  Running 2 different layer 3 on same layer 2 is BORKED and needs to be corrected.

10.7.2.0/23 covers your range 10.7.2.1 to 10.7.3.254

Thank you. Clearly I need to study up on subnetting.
I will work on this today and see where it goes.

https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

pfSense doesn't care if the NAT host is behind another router or not. Port forwarding just maps the destination address/port on the incoming connection.

So I provide the link, and derelict says check the list per provided link and he gets a thank you and get nothing - wtf? ;)

That is correct.  Forwarding HTTP from LAN out the WAN.

It was over a year ago i learned how to do it.  And from memory I thought i was able to forward all LAN traffic to a proxy server on the same LAN not out the WAN.  I just didn't like that because my proxy server was on my work computer that i used 24/7 and i wanted it on the corp backbone.  Anyways it sounds like there's not a simple solution that i've overlooked.

Guess I'll just try playing around with the settings here at my home and see what i can figure out.

Security through Obscurity is not Security!

What it might do is reduce the noise in your log, since you won't see all the bot traffic probing on 22 and trying to if your ssh open with user/password, etc.

If this guy wants to be secure - I would move him to vpn to be able to ssh in with MFA that makes he jump through like 15 hoops and has 5 seconds to enter his code and then has to ssh from the box you let him into through 2 other boxes inside to get to the box he wants to get to ;)

Then he will feel secure ;)  And make sure his passwords change every 3 days..  And he has to get a new cert for his vpn connection every other day..

I am attempting somewhat of the same thing with setting up a subset for my 3 xbox ones with upnp enabled.  Not much luck.

This look related, but I am not sure on all the details.

https://forum.pfsense.org/index.php?topic=103901.0

why should you delete it?  The next poor schmuck might have done the same thing.. Prob will try and file a bug report for pfsense ;)  You would think there was a million dollar reward or something for finding bugs in pfsense with how many times its mentioned, is this a bug in pfsense ;)

Nice to see you didn't mention "bug" hehehe

Hi ANyone please need your help. My pbx on the same network with my public IP, works just fine. the problem only is my external pbx sees local IP to register per sip/extension, thats way it suddenly unreacheable which supposedly it will get the public IP of the PFSense. Please really need your help about this.

Yeah. What does a capture of the same traffic on pfSense LAN (or whatever inside interface the server is on) show?

Check all of the things listed here as they generally apply to 1:1 as well as port forwards:

https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

Not sure if I did the right thing, but I got it working by adding these two floating rules

float.jpg
float.jpg_thumb

Ok good to hear about nothing close to having NAT issues.  I'll try capturing on the WAN interface and see what happens.  I sure wanted to put it on a 64 bit system but…the current hardware is so old lol...that's all it supported.  We haven't had any issues with it but have several of those machines left.  It's just hard at the moment with only being able to see what is going on via a remote webex session and the other end not being technical enough to assist.  I will try and see if I can get a capture of the WAN side tomorrow when we start another webex.

What is the IP address of your client?

What is the IP address of your DNS server?

You seem to have switched from natting to .254 to natting to .1.

Port forwards translate the destination address.

Outbound NAT translates the source address.

You need to do both.