@dharvey242 glad you got is sorted..

@munchie
If you do SNAT on packets, which are going to a device, it sees only the NAT IP, nothing else.

If you want to see the origin clients IP remove the SNAT rule and set pfSense as default gateway on the web server.

@landomix no it should have an open state for the reply. Presumably the gateway on the server is the pfSense because it works on the other port.
You could check states and/or a packet capture on LAN…
Have you tried a different alt port? It shouldn’t care but…

@viragomann Thanks. It works now.
My mistake is that on Client B, i restricted the source to the VPN tunnel address. Since this is NAT i guess its really just a pass thru and setting the source to any fixed all the issues.

Thank you very much for the help and the patience. Cheers!

@viragomann said in LAN access from VPN:

This replaces the source address with pfSense LAN address, so it's inside the subnet. Maybe this works.

It does work! Thank you very much!

@steveits said in Working in a local network with ports that are forwarded by NAT ?:

@supervisor3000 The top would allow port 53 to the LAN IP. The bottom allows 53 to any IP on the firewall, including the WAN IP or other interfaces. Presumably whatever is making DNS queries is now not using the LAN IP?

Reflection on a given NAT rule doesn't change anything on how other rules are processed.

Of course, all LAN users continue to use the LAN IP as their gateway.
That's why I'm surprised that another rule was needed after the reflection!

@saqqara said in Limiting WAN access by ip question:

https://www.yougetsignal.com/tools/open-ports/

Thank You..... that's what I was hoping...as it would be pointless to do this otherwise but I wanted to be sure... thanks for the url

i wound up setting two outbound nat rules.

found it in this thread jsut modified the rules for our vendor which is flowroute.

https://community.freepbx.org/t/pfsense-firewall-settings-for-sipstation/86702

On the Outbound NAT specify a rule for the WAN interface allowing the PBX via UDP out to Destination (SIP trunk IPs) on Destination Port 5060-5061, NAT address = WAN address, NAT PORT = any, STATIC NAT checked

THEN make another rule for Outbound NAT for the WAN interface allowing the PBX via UDP out to Destination = any, Destination Port = any, NAT address = WAN address, NAT PORT = any, STATIC NAT checked

@viragomann Bruh, I disabled squid and the firewall rules worked normally.

Thank you very much friend you helped me. have a great day !

"PPTP is dead": https://forum.netgate.com/topic/150260/vpn-pptp-connection-through-pfsense

-Rico

@owlbear
Which type of VPN is it?

@enicolau I was able to solve it by using bitnat in the config, such that point b does the nat of c for a

@jasonharper Could you send me an example print please?

@darkmatter5 yeah 20.x is a horrible choice for a network on your local network be it docker or not..

Use another 10/24 network that doesn't overlap with your current network, or use other rfc1918 space other than 10, 172.16/12 or 192.168/16 has plenty of space to be used.

How exactly do you have your docker setup, normally dockers get natted to the hosts IP. If you setup non natted network for your dockers, this network would need to be viable on the actual network its connected to. This would need to be just another L3 running on the same L2, or a vlan.. With a vlan being a better choice..

@shaz1300 said in Need some help with a NAT config:

Follow up on this, there is an extra rule that needs doing that will force any outbound traffic from the device on the IP192.168.1.1 that goes out of the WAN on the firewall to be NATed to have the same x.x.x.30/29 address as was forwarded to it inbound.
I am correct in thinking this is an outbound NAT rule on Hybrid mode and setting the interface as the WAN, the source as the subnet the device is on, in this case 192.168.1.0/24, the destination as any and the NAT address as x.x.x.30?

Yes. You didn't mention before.
You can do this with an outbound NAT rule.
If you want it to be applied to the single IP only you can specify this with a /32 mask.

However, best practice instead of adding an inbound and an outbound NAT rule is setting a 1:1 rule on WAN. This does both in one.
However, it doesn't allow any traffic. For passing inbound traffic you will have to add a firewall rule to WAN and use the internal IP of your device as destination.

@steveits thanks Steve but I was wrong, or more likely misread and understood Netgate's usecase for reflection, well all would work until there's some filtering going on the destination host, which is the case with my scenario

Anyhow the issue is resolved with the assistance of reddit

To sum it up if anybody else comes with similar scenario:

Old checkpoint fw is bound neither to interfaces or direction, only source and destination, for all the rules, firewall and nat, so just 1:1 NAT on checkpoint did everything regardless of interfaces.

When i fully realized that and tsg-tsg mentioning 1:1 i added 1:1 on the specified VLAN interface and that’s it, and no reflection after that since that would again NAT everything to pfSense VLAN interface IP and stopped at dns01 named.conf because of allowed transfer hosts

anyhow this is pfctl exact rules
binat on bce3.40 inet from 10.5.0.11 to 10.5.0.12 → 112.82.112.164
binat on bce3.40 inet from 10.5.0.12 to 10.5.0.11 → 112.82.112.165