@sirioinformatica This is a sort of proxying and it forward certain requests to another server. I suspect, it is forwarding the requests with the origin source IP and the destination server is responding directly to it. If you're unsure check this out with Diagnostic > Packet Capture. If this is the case, pfSense will not pass the respond through, since it has no state for the responding server.

@deekayw0n I have not. Please feel free, or let me know if you'd like me to.

@viragomann Yes, both connections use the same path through the firewall. I can see the websites when I use the internal ip address of the respected WordPress container. Yes, all LXC and VM are in the same subnet. How can I tell in which mode the Nginx proxy manager is running? (I have installed the Nginx in a VM and it's running in a docker container.

@kubenaab This is your best bet but it doesn't work in 2.6 https://redmine.pfsense.org/issues/10818 https://github.com/marjohn56/udpbroadcastrelay

@tkolaski Vague guess, maybe something in the outbound NAT? 1:1 should define its own outbound NAT rules so you shouldn't need to set up anything in outbound NAT. Could anything else on the WAN side of pfSense be using that IP?

@cyberconsultants said in block external requests via NAT — destination address "!LAN address" vs. "!This Firewall (self)": the documentation guide says to use "!LAN address" as the destination address. any reason/s, for security or otherwise, to use or not to use "!This Firewall (self)" instead? Not that I can think of for this purpose. If you provide the DNS server by the pfSense DHCP it will use the interface IP with default settings. So basically no client might access any other pfSense IP, but it would be possible of course. I redirect all DNS and NTP requests on all my internal interfaces to my LAN address for instance. But "This Firewall" should also fit for natting DNS.

@termal71 Ensure any firewall on the 56.5 server allows connections from the 58.x network. This post talks about and outbound NAT rule https://forum.netgate.com/topic/179251/port-forwarding-on-lan-interface/6 but I think that's just to get around the server only listening on its own network. Edit: https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat-port-forwards.html

@airone-0 said in pfSense and NAS port opening: Do you have an answer? We already went over that answer - if your not asking the dns where you setup the override, then no your override wouldn't work.. If I ask billy for john's phone number, and billy doesn't even know a john how would he know john's phone number.. Not sure what your pc is asking, 192.168.0.1 - is that pfsense?? If so then it should resolve the PTR for the server name, and not come back unknown.. As to that first example - that is just asking itself, ie lookback 127.0.0.1, where it actually gets forwarded you would have to check on wherever system that was - your nas?

Thank you Viragomann, It worked -- though I did have to make a few unexpected tweaks (this is very likely due to my very incomplete understanding of what's actually going on here). For posterity, my settings are below: Port Forwarding Rule: interface: LAN2 (which is where my pcoip device lives) protocol: TCP/UDP source: any dest IP: 1.1.1.1 dest port: 4172 target IP: NetworkA IP target port: 6666 Outbound NAT Rule: interface: WAN source: any dest NETWORK: [upstream subnet ] dest port: [no such parm for the network] translation: interface address My current setup is: isp modem -> udm pro -> pfsense -> pcoip zero client Thank you again for taking the time -- there is soooo much to learn! Best, G

Thanks for the help guys. I have fixed it by setting up a port forwarding for my external IP VPN wasn't possible because I have not set up 1 for them. I'll use it for the meantime while I'm studying how to set up vpn

@jordanet Why not setting up the VPN part at the AVM FB and then you may be securing your entire LAN behind the AVM with the pfSense? OPNVPN, WireGuard and IPSec are all on board as today (if your Fritz!OS is fresh enough!) You connect the AVM FB to the other VPN end, set up at the AVM FB site also; Able to open Ports by itself (for the pfSense) Give that device even the same IP address Or set up an static IP address at the pfSense You should set up at the pfSense site now; WAN set up uncheck the private IPs blocking All should be fine for you now. If there is an NAS, server or other devices that must be reached from the outside (Internet) and also from your LAN it is the best to set them between the AVM FB and the pfSense (real DMZ). It is common, you can VPN to the AVM and use also the APPs from them and on top you may be able to use the My!Fritz service from AVM and by side your LAN is secured anyway by the pfSense.

@bvohwk said in WAN(local network) to lan pfsense: Also a rule is made on the wan to allow wan net to any This is not needed for the NAT rule to work, and it will allow any device in the WAN network to connect to the pfSense web GUI (and DNS, and SSH if enabled). On an Internal network that may not be so bad but if WAN was a public IP address I would strongly advise against it.

@viragomann Thank you for the guidance. I couldn't add a ph2 because the other end wouldn't connect, but I was able to configure the local as 10.0.0.0/8 and that covers everything we need. The port forward ended up working for 1433 and it went through ! Thank you for your help!

@stgeorge said in FTP Server outbound?: 10 port range of data ports Are those the 10 ports specified in your FTP server? Check your logs - there will be blocked traffic calls. I have my own PureFTPd server set up with a hard-set range of ports for transfers and those are blessed in the firewall and it works flawlessly.

@issa2023 and so did you sniff on pfsense to actually make sure that traffic to 32400 got to its wan, so it could forward it.. This is step 1 in trying to figure out what your doing wrong in a port forward - if the traffic never gets to pfsense wan, pfsense can not forward something it never sees. On your nat device in front of pfsense, you forwarded 32400 to pfsense wan IP that 25.20 address?

@bvohwk I assume, you have a single WAN IP on pfSense and want to pass access to Proxmox through. So simply add a NAT port forwarding rule to WAN. State the WAN address as destination and 8006 as port. At redirect target enter 10.10.10.100 and port 8006. Let pfSense create an associated filter rule. Additionally you need to disable "Block private networks" in the WAN interface settings to allow access from the WAN net. You can also assign an additional virtual IP (Firewall > virtual IPs, type = IP alias) to the WAN for this purpose if you want. However, if your WAN is exposed to the internet, I recommend to use a VPN to access Proxmox instead.

@santammapr Do you want to go over NAT or do you want to simply access devices behind pfSsense? Basically there is no reason to go over NAT, but if you want to go this way you might have to assign proper IPs to pfSense WAN. Simply doing NAT 1:1 without assigning IPs would only work if the traffic is routed to pfSense WAN address. I assume, that's not the case. Anyway if the network on WAN side is a private one as I suspect, you have to disable the blocking of private networks in the WAN interface settings and add proper firewall rules to the WAN to allow the desired access.

@santammapr see https://forum.netgate.com/topic/178996/solved-nat-1-1-for-whole-network-not-available-after-version-2-4-5/2