@johnpoz I understand the logic now.
I've added the rule yet, and it works as expected now.
23f9e7e3-9409-40cb-a081-1a46957a3096-image.png
Thanks a lot for your help and patience!

Hi Viragomann,

so full disclosure, I installed acme and have a cert then I changed the port on pfsense under Advanced => TCP port then went to dns resolver and used the acme cert for dns records and added the dns name to the IP to resolve the ip to dns name now when I type in the IP or dns it adds the port at the back so trying to remove that port number so it just shows the dns, I have haproxy working work with truenas scale and also a dns record to resolve the IP but this too adds the port number at the end, is there a way I can use the dns without the port number? setting in haproxy maybe? to redirect etc?

@andrew_cb Disabled monitoring, no effect on not passing traffic through NAT.

@ngr2001 Yes 2 PC's 2 different ports...

Being COD picked 3191 for external, wouldn't one need to increase their port scope range to what you have listed above?

You shouldn't have to... But I'd go ahead and start testing, that's the only way to know for sure. I think if you limit it to 3074-3076 in your ACL, you would see 3074 and one of the other being used instead...
You could even try and set one of them to 3074 and the other 3075 only, and see what happens...

@SteveITS said in Port Forward is Ignored:

There is also the “don’t block the world, allow your country” discussion which takes much less memory.

^Exactly - I use this method.. I only want US ips and currently Belgium (family living there using my plex) - so I just allow those in my port forwards and wan rules.. This by its very nature blocks all the other ones.. No reason to load up into the tables of bad countries IP of them, all need to load is the IPs that are US and Belgium.

@Gammon

I used this guide ones to route out traffic over to a VPN, from pfSense to a VPN ISP.

@CubedRoot
1:1 NAT of multiple IPs to a single backend IP cannot work at all.
1:1 means, that packets addressed to the external IP are forwarded to the internal IP AND outbound traffic from the internal IP is natted to the stated external IP.
While the first part might be possible, the second cannot be done. Which external IP should be used for outbound traffic of the single internal? The first, the second, both alternating?

You should rather configure port forwarding rules for both external IP.

If you also want to use these IPs for outbound traffic from the server set up an outbound NAT rule for it.
You can translate it to one of them or to both alternating by adding both to an alias and use it as translation address in round-robin mode.

@Gertjan thx for the explanation.
As the problem seems to be related to the php interpreter memory pool and the computer i'm testing on (2sockets - 2 cores of a i7-6700 with 6G of ram) seems pretty weak for the use case i'm trying to to implement.
I'm gonna try to see if a can do some test on the server the app will be deploy on.

For the firewall related rule, i meant an option in the php script as the goal is to aumotate all the LXC handling process.
It works in "pass" mode but i guess it would be better with a firewall rule ?

I will give a feedback after some tesing (if they let me play with the big toys :p )

@Bob-Dig Hmm, did you try to only reboot the TS VM? How did you set up network for the VM? Firewall on or off, any extra bridging or VLAN? I have had TeamSpeak running for years without one single problem. But even so, I run two servers on separate machines and use keepalived to manage the master/backup setting...

I see now that the other ports are optional, and it's only 9987 required for voice. And it's likely the same port for the chat function so I guess it's time to close the other two...

@marcg said in Should Port Forwards work with Interface Groups?:

default NAT reflection policy?

Disabled.

@marcg Good info. That makes sense then. It's essentially a DMZ passing through the external IP. Still not sure how both the att router and my pfSense passthrough can have the same IP but I'll chalk it up to magic.

In any case, I have it working great now. I can reach my iLO gui if for whatever reason the pfsense goes down, I can reboot or reconfigure it to get everything back up remotely.

@marcg I agree manipulation of any dns should be opt in for sure.. If I want you to filter stuff, or help with my typo's etc.. I would point to the IP specifically that you offer those services up on.

If you offer such service, I should be able to point to any other dns I wan't and your not going to mess with the traffic - shouldn't have to opt-out if not pointing to your dns that is for damn sure.

Default opt-in is rarely a good thing for anything.. No matter what services they are providing - the user should have to opt-in in some way if you ask me.

One of the pet peeves I have with doh - many of these browsers like to turn it on by default, which is not the way to go about it.. If its so good inform the users and they will enable it if they want too. If you turn it on by default - tells me its not so good of a thing.. Seems like to me your trying to sneak it in under the radar.

I resolved the issue but factory resetting the Netgate device and restoring the config.

Figured it out!!

It was a docker container problem. Docker container was set to use ipvlan, so changed to macvlan.

And changed host access to custom networks to enabled.

Now I can post from my docker container.

Ok.. now trying to figure out how to access emby from wan.

@Bob-Dig said in Bug outbound nat after upgrade in 24.11:

While I have encountered problems with the implementation in CE, I don't see those in Plus.

Maybe check or delete and recreate the aliases, they can make problems too.

Reply

thanks for the blog page
After reset/kill all state, the outbound nat is ok, after reboot, also ok

@idgeng said in 2100, telstra and tplink vr2800 in Australia:

TPLInk VR 2800 modem in bridged mode

It might be so that Telstra expects the MAC address of the TPLink device? And when you connect in bridge mode, it get's the MAC of pfsense instead.
Solution would be to spoof the MAC in pfsense... Go to Interfaces > WAN and enter the TPLink MAC address in this field, and click save:

80f63931-91b8-4d12-8c8b-c4b6b387fd9d-image.png

@Antibiotic Really? And how would any of those two things be related to your outgoing ports?

@johnpoz / @viragomann / @Gblenn Thanks for all your help. I set it up that way and it was much easier, worked right away. I appreciate the time you spent helping me out on this :)