@learn said in pfsense port forwarding/ WAN Default deny rule IPv4 (1000000103):

remote access with 3389 port if this helps!

No that doesn't help..

So setup a sniff on your pfsense wan for port 6060.. Packet capture under diag menu on pfsense. Now do the canyouseeme test.. Do you see the traffic in your sniff? If not then nothing you do on pfsense is going to get it to work.

Again pfsense can not forward traffic it never sees..

@siteunfold
In proxy mode, pfSense itself accesses the destination device. This overrides all other firewall rules.
But since you say, you already have allowed any, this might not be the reason. Possibly you have floating block rules?

@plypo Since your doing this rfc1918 to rfc1918 you could do it without a port forward because you don't need a nat. But you would need to create a route on the 192.168 device.

And then allow the traffic just on the wan interface via a rule, no nat or port forward needed.

And you would have to setup a no nat outbound rule so that when devices on your 10 network are talking to your 192. network they don't nat..

I would never in a million years set it up like this.. I would turn your isp device into just a modem, turn off its wifi and get a real AP for my local wifi. And put everything behind pfsense. Worse case just turn off wifi on your isp device and just double nat, etc.

But there are few different ways to skin this cat. One being your typical port forward scenario, the other is just setting up routes on your devices in 192.168 to point to pfsense wan IP to get to the 10 network. And allowing via wan firewall rules, and disable nat outbound on pfsense when talking to anything other than your 192.168.1.1 gateway.

@gertjan said in Port forwarding not working:

Also : check if the "web server device" is actually accepting connection from other addresses (networks) as its own network. It could accept connection coming from everybody on the 192.168.10.x/24 network, and nothing else.

This was the solution, thank you. Changing the "Wordpress Address (URL)" and "Site Address (URL)" fixed the problem.

@alexhen
You cannot schedule NAT rules.

You have scheduled the associated firewall rules though, but even if these rules are disabled, the NAT rules are still active and do what they meant to do and the first one wins.

Not really sure what to try to achieve with this idea. If you just have two internal servers listening on port 80 set up HAproxy. Doing so you can also let HAproxy do the lets encrypt stuff.
Also you can run a proxy on one of the backends themself.

@johnpoz Ahh I completley missed something last night in my half awake state. Ignore me all is fine now lol thanks for the assistance!!

@uglyxiaodi18

I presume that you want to connect from a LAN device to another LAN device, or a device on another LAN(OPTx).
Why do you think or need to do this using the WAN IP ??

Btw : for many users, the WAN IP can change very often ...

I can access several local (LAN based) devices from my LAN, using a local device on the same LAN, or another LAN, all behind pfSense.

When I'm on the road, I can use the exact same host name, and connect to my device just fine.

Never had to use "Pure NAT" or some like that.
True, a simple classic NAT rule is needed for my IPv4 devices, so I can connect when I'm on the road.

@rsc
The source ports in the NAT rules have to be "any". They are dynamic.

@keyser

Thank you for the suggestion.

I did not think about terminating the DOH on the router.

I use HA in house, so again, thank you for that. I do not think that my chosen DOH application supports the proxy protocol..

But that is then a different problem.. HA would change the first..

Thank you.

@johnpoz said in Dual Lan Access Each Other:

But if you want to access lan from lan2, then yeah you would need to allow rule, 445 tcp should do it.

@xavier8854
The destination in the NAT rule has to be the WAN IP.
Setting the same for destination and redirection makes no sense at all.

Also ensure that in the WAN interface settings „block private networks“ is unchecked.

On the router you have to forward the traffic to pfSense WAN address.

@vergil655 said in NAT Issuses:

is there any solution to this problem ?

What problem? Please show what you did, and your sniff showing that nat is still happening, etc.

If I disable nat for an IP, and then sniff I can see it sending traffic without natting it. Here I created a no nat for my pc pinging 8.8.8.8

nonat.jpg

If I now sniff on my wan for 8.8.8.8 icmp I see this. And see from states that no nat was done as well.

states.jpg

@mcraven Most likely that your ISP is using a private address to serve your system a CG-Nat IP. There is a known problem with the implemented version of miniupnp, that disallows the use of private ip's for upnp on the wan side. If you check your system logs, you should be able to find the error.

Port forward manually or 1:1 Nat is a work around for now.

@kruglerd Do you mean by hardcode a 1:1 NAT?

Currently I have forwarded all of the ports: 5060+5061 and RTP range from 31000:32000

I have tried it with a fritzbox which forwards all the ports to the pfsense and I have tried a modem and setup pppoe on the pfsense. Both connections type I received the same error

@uglyxiaodi18 said in private network VM Unable to access public IP address:

VM in private IP : 1.1.12.1
VM in private IP trying to access public ipv4 : 1.1.22.1

None of these IPs is private at all.

However any VM in the private network is not able to access 128.199.117.134:80

If you want to access server, which the public IP is forwarded to, enable NAT reflection in the NAT rule.

By default the NAT rule is only applied to the stated interface. NAT reflection applies it to the other interfaces as well.

@johnpoz Unfortunately no, but I ordered that mikrotik switch. Looking at compatible transceivers now as well. I'll be back on site before too long and can switch things over.

@viragomann Thanks. I will try this ;)

Outbound NAT was the key, thank you kindly.

I added an Outbound NAT for the WAN interface, with the Source set to Network (172.16.81.x). Translation was set to Address = Interface Address.