@msibyte https://docs.netgate.com/pfsense/en/latest/nat/reflection.html "NAT reflection refers to the ability to access external services from the internal network using the external (usually public) IP address, the same as if the client were on the Internet." NAT + Proxy is one method to do this. It has nothing to do with access from the Internet, that is just plain old NAT.

@urbnsr And no real reason for a vip with a reverse proxy, just have it listen on the IP of pfsense on that vlan on port X, and backend is your destination be that the same port X or a different port, etc.

@johnpoz figured it out. It was as stupid thing I did to try to remember the public IPs I had given the virtual networks. I set them up as virtual IPs and labeled them Do Not Use thinking it would just be a place holder that would not matter unless I created a NAT policy with them. But, apparently it does matter. After I deleted those virtual IPs, all traffic came back and web access resumed. I'm an idiot. Thanks for your assistance!

Nevermind, I've worked out what's going on. That firewall rule is catching all dns traffic not just the redirected traffic. It had me confused for a while!

@viragomann Perfect, thank you!

The answer is yes and no. No: If you only have 1 public IP address because your OpenVPN will be on the same Public IP as your assets such as a webserver. Yes: If you have 2 Public IPs and the assets you are trying to access are not on the same public IP as your OpenVPN server.

@johnpoz Thanks for the answers.

Thanks Steve! Finally got the right option. Had to use NAT + Proxy.

Hi, it is a typo on the graphic, i need to translate users IP 192.168.231.0/24 into 10.33.25.0/24 on the global architecture, i use a different gateway to route users. on the vlan created and used to connect pfSense WAN and Meraki, i was able to mention that i would use a different gateway in my interface i.e. Meraki (i use Unifi devices). Is there route back pointing to 172.30.10.4 on the customer network for the subnet you want use for translation? not for the moment

@dbmadmin This might be the issue : "cobine 2 wans". As I have a pfSense, a (one) WAN, default setup, using DHCP and a LAN, default setup, 192.168.1.1/24 - also all default with default DHCP server setup. I've also a access point, living on LAN (192.168.1.2/24 - gateway 192.168.1.1) and I have a Phone and Whatssapp. Nothing else it needed : the Whatssapp app can go 'out' and connect to needed servers. I have also an upstream ISP router, no setting changes needed.

Bump.

@gblenn I am very grateful for your assistance. I will take your suggestion and advise and see how I can turn this around. Thank you very much for your time

@steveits I found the problem. Though the screens said to not use redirection, that is what I actually needed to do. It was a simple fix, once I realized the screen instructions were at best misleading. It all works now. Here's what it looks like. [image: 1678285064257-fixed.png]

@viragomann Just wanted to let you know I was able to get this done. I remember a long time ago a list of aliases would show up in some of the fields (since I am using the GUI). I modified the alias to be hosts and that worked when I added the alias as the destination in the Outbound NAT rule. Thank you for your input.

@dharvey242 glad you got is sorted..

@munchie If you do SNAT on packets, which are going to a device, it sees only the NAT IP, nothing else. If you want to see the origin clients IP remove the SNAT rule and set pfSense as default gateway on the web server.

@landomix no it should have an open state for the reply. Presumably the gateway on the server is the pfSense because it works on the other port. You could check states and/or a packet capture on LAN… Have you tried a different alt port? It shouldn’t care but…