@Robovic I am having the same issue

@Abelardo-A-M said in PFSENSE + IPSEC + NAT: NAT+IPsec cannot be configured between two different sized subnets (e.g. It cannot NAT a /24 subnet to a /27 subnet). That's true. I was expecting that the NAT subnet is used as a round robin IP pool. Maybe you want to try it out. Otherwise you have to use a single address out of 172.19.0.0/24. if I remove the pfSense IPs on the 172.19.0.0/24 network, how does the 172.19.0.50 server route the packets to the IPSEC networks? If you use BINAT with a single address, maybe you can keep the subnet. Not sure. Give it a try.

@viragomann thanks a lot it works!

@gertjan Hello, I was able to resolve the issue The port traffic was OK as I was able to telnet to a website using port 80 The issue was related to Apache24 configured to localhost I had to reimage another server and installed NGINX and set the config file details to WWW. After doing this I am now able to connect to my serving using an external ISP. Thank you everyone for your response!

@matt_sharpe NAT rules will automatically create a firewall rule for you unless you tell it not to when creating the rule. You should not need to add any rules on WAN unless you want your firewall to be accessible from the Internet. I can't say I've tried forwarding all ports in a NAT rule though I don't know of a reason it won't work. I have used 1:1 NAT to do that though. Ensure the firewall on the device on LAN allows connections from outside its local subnet.

Thank you. Now the connection works. It was still missing the outbound NAT for Reflection. I have to test the telephony now. ;-)

@mirak So I would look if there is any setting needed to allow forwarding in the hypervisor.

@sirioinformatica This is a sort of proxying and it forward certain requests to another server. I suspect, it is forwarding the requests with the origin source IP and the destination server is responding directly to it. If you're unsure check this out with Diagnostic > Packet Capture. If this is the case, pfSense will not pass the respond through, since it has no state for the responding server.

@deekayw0n I have not. Please feel free, or let me know if you'd like me to.

@viragomann Yes, both connections use the same path through the firewall. I can see the websites when I use the internal ip address of the respected WordPress container. Yes, all LXC and VM are in the same subnet. How can I tell in which mode the Nginx proxy manager is running? (I have installed the Nginx in a VM and it's running in a docker container.

@kubenaab This is your best bet but it doesn't work in 2.6 https://redmine.pfsense.org/issues/10818 https://github.com/marjohn56/udpbroadcastrelay

@tkolaski Vague guess, maybe something in the outbound NAT? 1:1 should define its own outbound NAT rules so you shouldn't need to set up anything in outbound NAT. Could anything else on the WAN side of pfSense be using that IP?

@cyberconsultants said in block external requests via NAT — destination address "!LAN address" vs. "!This Firewall (self)": the documentation guide says to use "!LAN address" as the destination address. any reason/s, for security or otherwise, to use or not to use "!This Firewall (self)" instead? Not that I can think of for this purpose. If you provide the DNS server by the pfSense DHCP it will use the interface IP with default settings. So basically no client might access any other pfSense IP, but it would be possible of course. I redirect all DNS and NTP requests on all my internal interfaces to my LAN address for instance. But "This Firewall" should also fit for natting DNS.

@termal71 Ensure any firewall on the 56.5 server allows connections from the 58.x network. This post talks about and outbound NAT rule https://forum.netgate.com/topic/179251/port-forwarding-on-lan-interface/6 but I think that's just to get around the server only listening on its own network. Edit: https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat-port-forwards.html

@airone-0 said in pfSense and NAS port opening: Do you have an answer? We already went over that answer - if your not asking the dns where you setup the override, then no your override wouldn't work.. If I ask billy for john's phone number, and billy doesn't even know a john how would he know john's phone number.. Not sure what your pc is asking, 192.168.0.1 - is that pfsense?? If so then it should resolve the PTR for the server name, and not come back unknown.. As to that first example - that is just asking itself, ie lookback 127.0.0.1, where it actually gets forwarded you would have to check on wherever system that was - your nas?

Thank you Viragomann, It worked -- though I did have to make a few unexpected tweaks (this is very likely due to my very incomplete understanding of what's actually going on here). For posterity, my settings are below: Port Forwarding Rule: interface: LAN2 (which is where my pcoip device lives) protocol: TCP/UDP source: any dest IP: 1.1.1.1 dest port: 4172 target IP: NetworkA IP target port: 6666 Outbound NAT Rule: interface: WAN source: any dest NETWORK: [upstream subnet ] dest port: [no such parm for the network] translation: interface address My current setup is: isp modem -> udm pro -> pfsense -> pcoip zero client Thank you again for taking the time -- there is soooo much to learn! Best, G

Thanks for the help guys. I have fixed it by setting up a port forwarding for my external IP VPN wasn't possible because I have not set up 1 for them. I'll use it for the meantime while I'm studying how to set up vpn