Thank you. Now the connection works.
It was still missing the outbound NAT for Reflection.
I have to test the telephony now. ;-)

@mirak
So I would look if there is any setting needed to allow forwarding in the hypervisor.

@sirioinformatica
This is a sort of proxying and it forward certain requests to another server.

I suspect, it is forwarding the requests with the origin source IP and the destination server is responding directly to it. If you're unsure check this out with Diagnostic > Packet Capture.

If this is the case, pfSense will not pass the respond through, since it has no state for the responding server.

@deekayw0n I have not. Please feel free, or let me know if you'd like me to.

@viragomann Yes, both connections use the same path through the firewall. I can see the websites when I use the internal ip address of the respected WordPress container.

Yes, all LXC and VM are in the same subnet.

How can I tell in which mode the Nginx proxy manager is running? (I have installed the Nginx in a VM and it's running in a docker container.

@kubenaab This is your best bet but it doesn't work in 2.6

https://redmine.pfsense.org/issues/10818
https://github.com/marjohn56/udpbroadcastrelay

@tkolaski Vague guess, maybe something in the outbound NAT? 1:1 should define its own outbound NAT rules so you shouldn't need to set up anything in outbound NAT.

Could anything else on the WAN side of pfSense be using that IP?

@cyberconsultants said in block external requests via NAT — destination address "!LAN address" vs. "!This Firewall (self)":

the documentation guide says to use "!LAN address" as the destination address. any reason/s, for security or otherwise, to use or not to use "!This Firewall (self)" instead?

Not that I can think of for this purpose.

If you provide the DNS server by the pfSense DHCP it will use the interface IP with default settings. So basically no client might access any other pfSense IP, but it would be possible of course. I redirect all DNS and NTP requests on all my internal interfaces to my LAN address for instance.
But "This Firewall" should also fit for natting DNS.

@termal71 Ensure any firewall on the 56.5 server allows connections from the 58.x network.

This post talks about and outbound NAT rule https://forum.netgate.com/topic/179251/port-forwarding-on-lan-interface/6 but I think that's just to get around the server only listening on its own network.

Edit: https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat-port-forwards.html

@airone-0 said in pfSense and NAS port opening:

Do you have an answer?

We already went over that answer - if your not asking the dns where you setup the override, then no your override wouldn't work..

If I ask billy for john's phone number, and billy doesn't even know a john how would he know john's phone number..

Not sure what your pc is asking, 192.168.0.1 - is that pfsense?? If so then it should resolve the PTR for the server name, and not come back unknown..

As to that first example - that is just asking itself, ie lookback 127.0.0.1, where it actually gets forwarded you would have to check on wherever system that was - your nas?

Thank you Viragomann,

It worked -- though I did have to make a few unexpected tweaks (this is very likely due to my very incomplete understanding of what's actually going on here).

For posterity, my settings are below:

Port Forwarding Rule:
interface: LAN2 (which is where my pcoip device lives)
protocol: TCP/UDP
source: any
dest IP: 1.1.1.1
dest port: 4172
target IP: NetworkA IP
target port: 6666

Outbound NAT Rule:
interface: WAN
source: any
dest NETWORK: [upstream subnet ]
dest port: [no such parm for the network]
translation: interface address

My current setup is:

isp modem -> udm pro -> pfsense -> pcoip zero client

Thank you again for taking the time -- there is soooo much to learn!

Best,

G

Thanks for the help guys. I have fixed it by setting up a port forwarding for my external IP

VPN wasn't possible because I have not set up 1 for them. I'll use it for the meantime while I'm studying how to set up vpn

@jordanet

Why not setting up the VPN part at the AVM FB and then
you may be securing your entire LAN behind the AVM
with the pfSense? OPNVPN, WireGuard and IPSec are
all on board as today (if your Fritz!OS is fresh enough!)

You connect the AVM FB to the other VPN end, set up
at the AVM FB site also;

Able to open Ports by itself (for the pfSense) Give that device even the same IP address
Or set up an static IP address at the pfSense

You should set up at the pfSense site now;

WAN set up uncheck the private IPs blocking

All should be fine for you now. If there is an NAS, server
or other devices that must be reached from the outside
(Internet) and also from your LAN it is the best to set
them between the AVM FB and the pfSense (real DMZ).

It is common, you can VPN to the AVM and use also the
APPs from them and on top you may be able to use the
My!Fritz service from AVM and by side your LAN is secured
anyway by the pfSense.

@bvohwk said in WAN(local network) to lan pfsense:

Also a rule is made on the wan to allow wan net to any

This is not needed for the NAT rule to work, and it will allow any device in the WAN network to connect to the pfSense web GUI (and DNS, and SSH if enabled). On an Internal network that may not be so bad but if WAN was a public IP address I would strongly advise against it.

@viragomann Thank you for the guidance. I couldn't add a ph2 because the other end wouldn't connect, but I was able to configure the local as 10.0.0.0/8 and that covers everything we need.

The port forward ended up working for 1433 and it went through !

Thank you for your help!

@stgeorge said in FTP Server outbound?:

10 port range of data ports

Are those the 10 ports specified in your FTP server?
Check your logs - there will be blocked traffic calls. I have my own PureFTPd server set up with a hard-set range of ports for transfers and those are blessed in the firewall and it works flawlessly.

@issa2023 and so did you sniff on pfsense to actually make sure that traffic to 32400 got to its wan, so it could forward it..

This is step 1 in trying to figure out what your doing wrong in a port forward - if the traffic never gets to pfsense wan, pfsense can not forward something it never sees.

On your nat device in front of pfsense, you forwarded 32400 to pfsense wan IP that 25.20 address?