Hi Derelict!
I am in the exact same situation as NekoSema and tried to solve it the same way, before stumbling upon this thread.
I already did what you said, except for:

"X.X.28.3 needs to know to route traffic for X.X.96.0/24 back to pfSense. (Guessing on the subnet since it was unspecified.)"

I don't know how to accomplish that. I thought it might be a static route, but I don't know how to define it.
I know this thread is old, but it is the exact description of the situation that I am facing.

@eiger3970-0 said in I port forwarded, but why is port still closed?:

run VM OPNsense

I think your lost..

vm router pfSense 23.1.11_1-amd64

There is no such version of "pfsense" - again your on the wrong forums.. Ask over on the software your using forums.

But common issues with port forwarding, is the port never actually gets to your edge, sniff on your wan to validate traffic is actually getting to your router that is going to forward traffic. Where your forwarding has its own firewall, that is not allowing the traffic, your using the wrong port, or the port your app is listening on is different than you think, or its not even running. Or you device your forwarding to isn't using the device your forwarding from as its gateway.

That is an odd place for it to throw an error. It suggests it had a problem writing that file out.

Gut feeling says it may be hardware (e.g. disk/ssd) but it could just be the filesystem if it's UFS. Running a filesystem check a few times might help.

If the disk is using ZFS then it's more likely to be hardware.

@Octopuss Ha, problem identified: ESET Smart Security's firewall. I have no idea what it does, but it blocks this. I forgot the software had actual firewall in it. Now I have to dig into the settings, bleh.

@viragomann Thanks, that's got this working now

@cysec
So obviously the Windows machine is not able to resolve host names.

As you've did the network settings on the vm manually, you need also to configure a DNS server to be used. By default pfSense provides the DNS resolver, so you can set the pfSense interface IP as DNS on Windows.

@viragomann , thank you.

It was indeed a floating firewall rule that was causing the problem.

After disabling it, all is working as expected again.

@viragomann
Cool! Thanks for the suggestion.

@3Texans By any chance, did you get it to work? I moved from Ubi Edge router Lite to PfSense and Obi200 GV config is broken for me. Would really appreciate if you could throw some lights in case if you were able to fix it.

Lets hope it is for a good cause.

Update, I Was never able to get this working properly, but Now that the 2.7.0 update has been released, once I updated, everything is working as expected. not sure if it was some sort of Hyper-V Driver issue, or some other bug that was fixed in this release.... just glad I can utilize my secondary internet connection better now. thanks for all the help!

@SteveITS Thank you! It was not. One other thing I forgot was I had DNS over TLS and some off these settings weren't properly configured. (https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html) with this properly configured even my work PC which tries to leverage a cooperate DNS server is forced back to my resolver (which properly resolves to my LAN address inside the network). At some point I will try your option which is also a great solution.
Thanks for your reply!
-b

@DirectRaw If that packet capture was on the VTI, it means your routes on pfSense1 are correct.

What about pfSense2? Do you have a route to send traffic to destination 172.19.0.1 through the VTI?

@ivarh
The outbound NAT rules are applied to interfaces. So they have nothing to do with gateway groups at all.
If you want them to specify only once for multiple interfaces, you can create an interface group and apply the rules to this.

@GameHoundsDev said in allow access from internal device to another internal device:

I am trying to allow internal VM to communicate with another VM

You need both

Ethernet level 2 connection. This is most easily done by having them on the same LAN. Within Proxmox that is done most easily by having them on the same bridge (the virtual equivalent of a physical Ethernet switch)

IP routing (if you intend to use a WAN IP to access a local LAN device). Look at NAT reflection

@fejzulla-neziri said in advanced configuration:

also services dns resolver
Host Overrides added domains but nithing

This is the preferred method to go, presumed your local computers use the DNS Resolver to resolve host names.

So ensure that they do conventional DNS requests, not DoH.

Consider to redirect all DNS requests to the localhost on all internal interface and to block DoH with pfBlockerNG.

Also ensure that you firewall rules allow access to the web servers.