@steveits

I think that's exactly what I was up against. This is a production machine, and I didn't want to experiment too much.

I'll be installing the Netgate hardware during one of the upcoming long holiday weekends, and expect that will go well. PfSense has always been bulletproof. The hardware, on the other hand (my hardware- not Netgate's) has had occasional issues.

Thanks again, Steve!!

Peter

@RobH-0 my apologies I have been away. Here are the screenshots

WAN.png 192.png WAN_Rules.png 0Lannet.png 10GiB.png LAN_Rules.png

@johnpoz Many thanks ! thats perfect.
Alain

@steveits Figured it out. The lan is the "wan" of the Unifi gateway device that runs the internal network. NAT was enabled there so everything coming to the pfsense lan was natt'ed... disabled that NAT and everything started working.

@viragomann aaaaaah ... that could be the prob ... sure there are routes pushed by the openVPN server and they are already listed in the routing table of our pfsense (pfsense indeed is the openVPN client in this cas) ... so i will click that "dont pull routes" than probably reconnect if its not done by its own ...

so now the tunnel_destinations dont appear in the routing table anymore and ALL clients will go via default WAN to those ips ...

then i've added a rule to LAN which again put in the 2 conditions allowed_hosts and tunnel_destinations using vpn interface

et voila ... seems to work =)

thanks @viragomann & @Bob-Dig

@steveits That was it, i forgot to add the www one. Thanks mate, truly saved me alot of hassle.

@wherewolf
Virtual IPs and Aliases are basically different things at all.

Virtual IPs can be assigned to interfaces as additional IPs. In your case type "IP alias" is the best to be to use here, but also others would be possible, e.g. CARP.
If they are not CARP themself, they have to be hooked up on the primary CARP VIP for the failover to work.

Aliases of type IP in this case is an independent array of IP addresses. It doesn't matter if these are assigned to an interface or not. They can be used in firewall or NAT rules.

How many clients in the 172.16.81 network need to access the 10.1/16 ? If it's not many, why not just use a static route for them, and they connect using the real destination IP.

@georgelza said in pfsense and Synology port forwarding:

below a block all.

Normally, that's a good thing, placing a final block all rule on WAN.

But that rule won't be the final rule, there is another one, hidden, on every interface, and it block everything.

When you create a NAT rule, and you have your own home made block all rule on WAN, then you need to re order the auto created firewall rule on WAN above your own block rule. Otherwise, your NAT rule might be perfect, but .... it will not work fro 'some' reason.
I know, as the same thing happens to me while preparing the NAT demo for you yesterday ;)
( I actually ditched my final block-all rule on LAN so it won't happen again if I have to crate a NAT rule )

System>Advanced>Firewall & NAT
Firewall Maximum Table Entries=10000000
Firewall Maximum States=300000
pfBlocker no longer preventing completion of Filter Reload

@steveits said in How to forward calls/Nat from one vlan to another?:

outbound NAT rule for the VLAN interface.
https://docs.netgate.com/pfsense/en/latest/nat/outbound.html#working-with-manual-outb

Will give that a try. I set up an outbound Nat once, but I could not get it to work. Could have been something about the way I set it up, as I am still learning pfsense. Thanks.

@gertjan Hi so actually, the author of this book has some custom scripts on his website. This is to make the process easier for configuring the firewall.

So i went ahead and uploaded a custom script with all the settings i need.

However, my issue now is that in the "status" of "OpenVPN" is never showing as "up". It is either "pending" or "down" or "failed". SeeScreen Shot 2022-09-05 at 11.38.37 AM.png :

Part of the additional instructions is to designate a custom server IP address from my ProtonVPN service. Basically you choose a server from a list on ProtonVPN's site, and then download a file. I was instructed to open it in a text editor and identify the IP address and manually enter it. That way all my internet traffic is being routed through that specific server.

However, in the file looks like this: Screen Shot 2022-09-05 at 11.29.19 AM.png

If i enter any of those full IP addresses, it gives an error, saying its no t a valid address. When i use the root address 156.146.54.97, it will accept it. So i'm not sure if that is correct or not.

In the end, my status on OpenVPN is not showing "up" and thats the end goal according to my instructions.

Any ideas?

SystemAdvancedFirewall & NAT

"NAT Reflection mode for port forwards" > Set it to "Pure NAT"
Enable NAT Reflection for 1:1 NAT > YES
Enable automatic outbound NAT for Reflection > YES

Then you can access the Service with external IP also from LAN

@bob-dig Thank you! I replaced the pfsense 2.6.0 VM with a new one running pfsense 2.5.2 and the internet speed blistering fast now.

@eeebbune 1:1 NAT forwards all ports.

If you are trying to get to your server from LAN using the public IP address, you'll still need Reflection enabled (see "Enable NAT Reflection for 1:1 NAT"). I would get it working from outside first, then worry about the LAN.

BTW, for 1:1 NAT you don't need to configure Outbound NAT.
https://docs.netgate.com/pfsense/en/latest/nat/1-1.html
"All traffic originating from that private IP address going to the Internet through the interface selected on the 1:1 NAT entry will be mapped by 1:1 NAT to the public IP address defined in the entry, overriding the Outbound NAT configuration."

@eeebbune said in Help me to understand NAT configuration (1:1 & Outbound + PortForward?):

allow any to server IP with all port rules to both WAN/LAN rule tabs

If I'm reading that correctly and you've allowed all traffic to the server on WAN, when using 1:1 NAT that includes all ports, so SSH, HTTP, SMTP, FTP, NetBIOS, remote connections, etc., etc. I would really recommend against that and only allow the necessary traffic. See https://docs.netgate.com/pfsense/en/latest/nat/1-1.html#risks-of-1-1-nat

@bob-dig Thank you so much, That solved it.