This is how I set mine up. https://forum.netgate.com/topic/156453/pfsense-dns-redirect-to-local-dns-server?_=1671847956280

@heper Strictly seen you are right if you say that the rule order is less strict than I did suggest. If there are reasons to choose another rule order (e.g. performance), I use (partly) another order myself. Related to the difference in ^pfSence-rules^ and ^pf-rules^ at this moment I can only say that "pfctl -vvsr" shows that ^pfsense-rules^ are expanded to a lot more rules. Perhaps it is not as bad as I suggested in my example. No time to investigate that now. What ever, I am not there in the next few days. So I will scratch my head after that break.

@viragomann Thanks you it all works now. I was mistyping the ping address. It's time to go home.

@SteveITS after disabling the landline phone from my Internet router, the packet started to come :) Thank you very much for the hint :)

@viragomann I have created an isolated lab for this. Slightly different ranges. Source site = 172.16.43.0/24 Target site = 172.16.200.0/24 Isolated network on target side = 172.16.210.0/24 IPSEC Interface FW rules any/any on IPV4. Also enabled sloppy mode. No joy. [image: 1705511646876-4929c874-460c-4515-8f2c-aa337c71baac-image.png] I was tinkering with Outbound NAT rules for the interfaces to be able to route between each other which led to different results on a picture capture. Not sure if any specific outbound NAT would be required here: [image: 1705511599679-48f545fb-1a9d-4de9-853c-1d6257f94cc4-image.png] [image: 1705511610394-273b324f-1ed5-4c5f-9f3f-14e71c51df30-image.png]

@viragomann Thank you again. I assume that this also would explain why I did see some kind of traffic with the port sniffing. Apologies for the confusion, my ignorance with assuming masquerading certainly didn't help. Lesson learned!

@viragomann I'm using "Any" as port config for accessing the GUI via WAN. Indeed, I need to state a specific port so I can access more than one interface via WAN. Thanks for reminding me of that!

Before anyone points this out, the rules have been turned off temporarily hence the light check marks, while testing the rules below are active. [image: 1705324553021-nat_general.png] [image: 1705324553089-port_forward_nat_rule.png] [image: 1705324553149-wan_firewall_rules.png]

Apparently this is because pfSense (pf) uses Symmetric NAT. This makes hole punching impossible.

@esilva0608 yes anything with that subnets destination must be directed to the other routers address so it can find what you want. It’s like library it needs the location of where the books or data is. Static route but just for that subnets destination, tell it to go to that firewall, do the same on the other firewall in reverse. If they are geographically separated you will need a VPN networking between them. If you can connect the routers together with a backbone cable you just need a static route. Static route Anything requesting the other private subnet——-send to the other firewalls ip address—> Or you can be specific and the source could be a specific IP address only or a couple of them.

@fuckwit_mcbumcrumble You need to add the public IPs to the WAN first. Firewall > Virtual IPs Use type "IP Alias", select WAN interface and state the desired IP with the correct /29 mask. Then in the outbound NAT rule at translation address you can select this IP from the drop-down. But it should also work with the alias you've already created.

@johnpoz & @SteveITS , thanks for the further feedback and the address for feature requests. I think I'll try using a single IP address for outbound NAT for some time. With currently only around 40-50 users, that should be enough for now. Thank you again for the quick and good help and the many considerations and approaches!

@DominikHoffmann I find it highly unlikely that any of these 5G hotspot/internet things are providing a viable public IPv4 address that you could use for unsolicited inbound traffic.. edit: hmmm well butter my butt and call me a biscuit ;) Maybe you can do it with the verizon 5g internet https://www.verizon.com/support/knowledge-base-227033/

@viragomann The internal IP in the 1:1NAT it's a computer from our LAN network

bouncing the states did the trick along with the outbound NAT rule. Of course, nobody is around to answer a radio call, but I'll get to that tonight. Thank you for working through this with me. I've never had to do this before to get a radio site working, but all firewalls aren't built the same and this is just a little quirk that I'll have to document for the future. [image: 1703694893732-states_updated.png]

@beluclark What exactly do you get in the browser? Did you tried to access it by IP or just by host name? Sniff the traffic on WAN port 80 and 443 and enter the IP into the browser. I'd expect to see the packets.

@periko yeah if you don't want that whole network to not nat, then yeah that would work.. I would pick IPv4 only on such a rule. And you would need to need to make sure it in the correct location in your hybrid rules - they evaluate in order. So you created a hybrid nat, or your doing manual nat.. I never understand why anyone would do manual.. If you need to do something other than the normal automatic nat, then just create a hybrid rule for the stuff you want to do different, etc.