Not sure why you would need to know this?  The openvpn wizard will auto create your nats for you for your tunnel networks.

Thanks a lot for your replies

apparently i was doing right but applying the NAT in the wrong interface
i didnt tried yet, but for sure this is my mistake

Thanks

Just a suggestion, but it may be worth considering an OpenVPN link to bypass all this.

If there are 15 random "Good Companys" then it might not be feasible, but if you're talking < 3 I think it would be worth the effort for the added security.

Just my $.02

I had some problem when upgrading from a 2.1.x to 2.2.x, if you feel like trying then maybe you could try this.

In System < Admin < NAT

Set "NAT Reflection mode for port forwards" to NAT + Proxy Checked "Enables the automatic creation of additional NAT redirect rules for access to 1:1 mappings of your external IP addresses from within your internal networks"

The first rule with the source port 563 is probably doing nothing.

There is no such thing as a bi-directional rule on an interface tab.  They only match traffic being received by that interface.

The firewall state is created which automatically allows return traffic for that connection.

What is your subnet mask for your DSL ip range?

Ah! An excellent question.

I had the default value of /32 configured for the WAN_DSL.  Every time I edited the Gateway page for the WAN_DSL, it threw an error saying that the .1 was not in the range.  The gateway was defined in the WAN_DSL Interface page (accepted it withoput error).  Then I was looking at dhcp for the WAN_DSL (not enabled) but it showed a really short range.

I switched the subnet mask for the WAN_DSL interface to /24 and the gateway came back to online.

Small piece of the puzzle fixed.

Sadly it did not resolve the problem of the complete blocking of all traffic on the WAN_DSL.  Before redoing this from scratch, I had it working and I've done something, or missed something that will probably open this up.

Thanks for your help.

You should be good actually, i misread and didn't see where you had specified the ports on each device.
In that case a proxy is not needed. Its when it's using dynamic port ranges that it has issues.

Thank guys.

I do have different hostnames already, but I didn't think on doing multiple dynamic dns hostnames, that may be easier.

Also I was thinking on using a reverser proxy for SSL termination on owncloud, so may as well go ahead set it up to handle everything else

I could say the same, do you know the OP personally

I am not the one claiming he still has the problem which our suggestions didn't solve.

however creating an argument about others opinions and thread is not really helping anyone, no sure what the point of such comments.

The only 'argument' here is between people who have a history of knowing what they're talking about versus those who don't.

I'm just sharing that I personally tried those "well known" solution and still have the issue.

Then I guess you are cursed, or you don't have the same problem, or you screwed up the solution.  Can't tell based on you saying 'it doesn't work'.

Thanks Johnpoz,

That worked , I had entered the info as described in the picture  except I entered the source address rather than leaving it blank, as soon as I cleared it, it worked.

Thanks very much for your help
Nick

@doktornotor:

Here's an idea repeated about 378,264 times: stop using the goddamn NAT reflection clusterfuck. Noone cares how slow it is. It certainly still is faster than you wasting days and weeks or months with such nonsense instead of setting up things properly. If it's slow for your, then get faster and fix your configuration to point things to where they exist and listen.

@doktornotor. I understand your position. But I am also a developer. I am not satisfied with things that "just work" or "just don't work". I am here trying to understand why it is slow and if people that uses it for a long time or the developers are aware of it. But I still don't have an answer.

People are trying to solve my problem, or show information that is clearly described in the documentation. Telling me how idiot and stupid I am because I am trying to understand the minor workings of a resource that nobody likes or recommend to use. I appreciate all replies, but this is not what I am looking for. IMO, it is up to the each sysadmin to decide what is the best configuration to their network. If someone wants to use NAT reflection for whatever reason, I think we should ship a good solution that works the best it can.

My current experience is showing that "NAT + Proxy" option is suffering from a very unusual overhead in comparison to "Pure NAT" option. I understand the differences between these options, and I know that a performance difference should be expected between them since one work in a lower layer than the other. But I still think the overhead I am experiencing is very significant to be caused only due to the service characteristics. I was able to reproduce this slowness in a idle server running simple queries to a database. My guess is that there is something wrong with the Proxy service of NAT reflection.

For example, if you tell me that "the Proxy service of NAT reflection is badly coded, nobody maintains it for years, and everybody hate both the programmer and the proxy", maybe I try to put my hands on it and code a faster one.

Or if you tell "the Proxy service of NAT reflection suffers from a high overhead because it works in a high network/application layer, we already optimized it to the best we were able to, but there is really nothing much to do, there's no free lunch, really", maybe I stay quiet and satisfied with the answer.

"I double NAT in my lab all the time"

I hear ya - sometimes you have to, shit at work there are so many freaking nats it makes my head spin sometimes.  And joke I like to use when troubleshooting with fellow techs at work is "we need another nat" there are only 3 ;)

But to be honest it is something to be avoided!!

As to your design gohancore - while you might not be able to modify it for the course work your instructor wants you to do..  I would bring it up to him for discussion that its a BAD design and there seems in this scenario no reason to nat the downstream rfc1918 networks if your just going to want to block one, etc..  But as Derelict has mentioned couple of times now the easy fix is to use different IP on the wan of your linux box for the nats for the networks on the inside of the linux router so that you can just block the 1 you want at pfsense.  Maybe this is the solution your instructor is looking for??

Not sure why just doesn't try and teach whatever concept he is trying to teach you without nonsense like double natting..  Why not show you how to work with a downstream router via a transit network, which seems to be something lost on many other users to this forum as well ;)

NAT has no impact on where traffic goes, firewall rules and the system routing table determine that. NAT only specifies how traffic going via that interface is translated.

Thanks - I'll investigate that idea. I was also thinking I could create just one entry, then backup the config, and write a small utility to generate the rest of the ranges. The config is a XML file, right? Should be fairly simple once I know the structure.

how exactly are you going to do a man in the middle with https creating certs that the roku would trust?  Can you install trusted ca's in  your roku?

Some devices do not support proxy, why should they – they are designed for the home..  I wish my net thermostat supported wpa enterprise or 802.1x but doesn't ;)

This post help? https://forum.pfsense.org/index.php?topic=83592.0

In a nutshell, the NAT rule handles the port translation bit.