@viragomann Thank you very much for your answer and explanation, it worked.

@riahc8 hey there,
shouldn't it be enough to work with rules?
iE
IF WAN allow WAN Net (network between pfsense and ISP router), all port, destination IP PC
IF LAN allow LAN Net (or just IP pc), all port, destination WAN Net (or just IP PC2).

That way, pfsense allows connecting net with pc (LAN) to net with pc2 (WAN) and vice versa. If that works, reconfigure so only the needed ports are allowed (and only needed clients in those nets).

Or did the heat here damage my brain?
:)

@JonathanLee hahahahhahahha lol

@viragomann
To access it via VPN was my solution before, but then i realised that it is inconvenient to open a vpn connection on my phone 10 times a day. Sure i could stay connected all day long, i'm using WireGuard, but i don't like that either.
To my knowledge the Home Assistant web interface is pretty secure and i've also enabled 2FA, but there is always a risk in making a web interface accessible to everyone.

I believed I explained the issue incorrectly. Here is the correction:

I have a NAT for SMTP port 25 that works with no problem from external IP addresses (public IP) to a Virtual IP. But not from other WAN Virtual IPs. So I had to create a 1:1 rule for all IP aliases with NAT reflection enabled and now the NAT rule works connecting from other Virtual IPs. There is one problem: the destination host is showing the private IP of the source and not the public IP.

@riahc8 said in Setup pfSense behind a ISP router that cannot be put into bridge mode (Double NAT):

@Dobby_ said in Setup pfSense behind a ISP router that cannot be put into bridge mode (Double NAT):

Will the devices on the LAN interface on
the pfSense work?

pfSense DHCP: On
ISP router DHCP: Off

In my case, I need to leave both on as devices are hanging off the ISP router

Related subject: https://forum.netgate.com/topic/180704/access-network-behind-a-double-nat

@viragomann Yes, it is, but in the customers environment they can't access the hosts native address from the 10.3.3 segment and I was hoping to replicate that limit as well.

@Papa_Dragon
https://www.rfc-editor.org/rfc/rfc1918

FWIW I have also seen the occasional program that detects whether or not it's on a private IP range and changes its behavior accordingly. Or, private networks are allowed by default, public are not, etc.

@SteveITS Trying to use NAT to translate destination addresses. I have multiple connections over VPNs with colliding subnets that cannot change (and I have no control over those networks), and I need the addressing to be transparent. I want to be able to send traffic to 10.a.b.server on my side and translate it to the customersub.server as it goes out the ipsec tunnel.

OK, so it seems to be good news. Whatever is causing this bootup issue in 2.6 doesn't appear to be an issue in 2.7. There are other buggy behaviours (CARP, specifically seems to have some issues), but I would expect this as it's still in development.

My only concern now is when 2.7 is actually likely to release. It's been coming for a while now.....

@Robovic I am having the same issue

@Abelardo-A-M said in PFSENSE + IPSEC + NAT:

NAT+IPsec cannot be configured between two different sized subnets (e.g. It cannot NAT a /24 subnet to a /27 subnet).

That's true. I was expecting that the NAT subnet is used as a round robin IP pool. Maybe you want to try it out.
Otherwise you have to use a single address out of 172.19.0.0/24.

if I remove the pfSense IPs on the 172.19.0.0/24 network, how does the 172.19.0.50 server route the packets to the IPSEC networks?

If you use BINAT with a single address, maybe you can keep the subnet. Not sure.
Give it a try.

@viragomann thanks a lot it works!

@gertjan

Hello,
I was able to resolve the issue
The port traffic was OK as I was able to telnet to a website using port 80
The issue was related to Apache24 configured to localhost
I had to reimage another server and installed NGINX and set the config file details to WWW.
After doing this I am now able to connect to my serving using an external ISP.

Thank you everyone for your response!

@matt_sharpe NAT rules will automatically create a firewall rule for you unless you tell it not to when creating the rule. You should not need to add any rules on WAN unless you want your firewall to be accessible from the Internet.

I can't say I've tried forwarding all ports in a NAT rule though I don't know of a reason it won't work. I have used 1:1 NAT to do that though.

Ensure the firewall on the device on LAN allows connections from outside its local subnet.