I seem to be having the literal same issue. VPN works from the desired VM. Outbound packets work properly, but it seems inbound packets are not being properly routed back through AIRVPN_WAN. Can anyone provide a more detailed solution? I don't have no any/any rules, only a single rule (created automatically by nat) in the AIRVPN_WAN that allows any tcp/udp to the VM with the port I want exposed.

@dsegui said in NAT overhead: ) it didn't bother me so much that my throughput was just over 1/3 of that rating So you have been getting low throughput for a long time then? If was paying for 400, and only getting like 100 something I would be complaining or digging into why that is for sure. 90%, ok during prime time 80% of what I pay for - but 30% yeah I would be digging into why that was for damn sure.. But a 3100 should be able to do 900s - i think there is a lawrence teardown and review when it first came out showing benchmarks in the 900s.. If your seeing 150ish - yeah got something wrong that is for sure.. You could take your isp out of the equation for sure.. Put something on your pfsense wan running iperf, and then from a client on the wan do a benchmark - this would be doing nat, etc.

@pdwalkerhk said in NAT Reflection on a multiwan system - need help debugging my problem getting it to work.: is there any way to debug why the traffic from the local lan to the public ip of the port forwarded ports is not going through? Sniff the traffic with the packet capture tool on the LAN. does that reflection firewall rule look correct for my situation? I would expect it to work. the default route for the LAN traffic is a gateway group composed of the 4 lan connections. Could this be causing a problem, preventing the nat reflection from working? You may mean an interface group. This is not a problem, however, ensure that a rule on LAN allows the traffic from LAN IP to LAN destination IP. The rule must not be a policy routing rule (gateway (group) stated)! could I use the / Diagnostics / Packet Capture / somehow to find out what is or is not happening? Yes. You should see packets from the source IP to the public going to pfSense and packets leaving with source = LAN IP and local destination IP.

What do you mean by "stops updating"? Nothing changes on the screen or does it fail to load? As far as I can see from here with local testing, UPnP is working OK and the status page is also working.

@viragomann The rule works perfectly. The problem is that it automatically deletes itself... Do you have an idea if there is any management like autorule creation / delete. regards ron

I am stupid. The Port Forward rule was wrong. It should be 192.168.66.0/24 network, but I selected single host and give the ip address as 192.168.66.0. Thanks @viragomann and @SteveITS !

@Tzushca There's a list of things to check here: https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat-port-forwards.html

@viragomann The 1:1 nat to the 2 internal Ip's worked so thanks for everyone's help. Much appreciated.

Rookie mistake. Testing using a cell phone and missed the DNS issues on the new subnet ;( Thanks for being so responsive.

@viragomann said in PLZ Help!!! Failing at Publishing a Nextcloud Instance: The source address and port have to be "any" good catch - yeah that is wrong too for nat..

Happens to be a user-error! :shushing_face: A typo.

@SteveITS Yes, OK, I got it. It is no longer blocking everything else so the rule works, but the issue with my Android, eludes me. Thanks for the very patient help.

@viragomann I'm having more than one DNS issue, not just mine. At the moment I preferred to do two things: move all my DNS back to the original ISP and install a new pfSense, testing it step by step with every change because now the only way to make it work is to have an "all open" rule, but this is not possible. I put this thread on stand-by and if necessary I open a new one for DNS. In the meantime, I thank you

@mcury thank you, that fixed it

@twg Where are you trying to ftp from?? Where is the client? So this server is on say 192.168.0.100 behind pfsense.. And you out on the internet want to ftp to it.. So you forwarded 21 to your ProFTPD Server (ProFTPD) [192.168.0.122] on pfsense.. Did you forward the passive ports? You setup in proftpd to use? Did you setup proftpd to send your correct public IP? I connected to the IP you use to connect to the forums so I could see if ftp even answered. For passive to work, you also have to forward the ports the server will use for its passive ports.. I can not get logged into see what it sends, If you PM me an account that would work I could see what its sending for the port, or try active where it would connect to my client. Is your server a plesk? https://www.plesk.com/kb/support/how-to-configure-the-passive-ports-range-for-proftpd-on-a-plesk-server-behind-a-firewall/ It defaults to a really large passive range 49152-65535 , I would for sure change that to something more like 100 ports or even just 10 if you don't have lots of clients at the same time.. Then you need to forward those ports on pfsense to I assume 192.168.0.122, without the passive ports being forwarded then no the data channel will never work when the client uses passive mode. Even if you told the client to use the IP you connected to when the server sends rfc1918 IP.

@VincentEmmanuel The outbound NAT should not be required here. All traffic will be controlled by routes if pfSense is the default gateway in both networks. With the static route, when the DMZ server sends a packet to 172.16.1.3, it is routed to pfSense, since that's the default gateway. pfSense forwards it to the CATO due to the static route and the CATO forward it to the destination host, since it knows the route to it (however, your graphic is missing 172.16.1.3, so I don't know, how this is set up). Presupposed the CATO is the default gateway on 172.16.1.3, the response packet will be routed to it, and there it is forwarded to pfSense, since this is the default gateway on the CATO, as you said. pfSense has an existing state for the packet and will forward it to the DMZ server.

@pedreter it is routed through pfsense is it not? If I look up in the internet routing.. for the IP on this server it ends up on the pfsense wan IP does it not? If the network is routed at the isp and you bridge this network to the servers.. I do not think the redirection via a port forward would work..