@alexhen You cannot schedule NAT rules. You have scheduled the associated firewall rules though, but even if these rules are disabled, the NAT rules are still active and do what they meant to do and the first one wins. Not really sure what to try to achieve with this idea. If you just have two internal servers listening on port 80 set up HAproxy. Doing so you can also let HAproxy do the lets encrypt stuff. Also you can run a proxy on one of the backends themself.

@johnpoz Ahh I completley missed something last night in my half awake state. Ignore me all is fine now lol thanks for the assistance!!

@uglyxiaodi18 I presume that you want to connect from a LAN device to another LAN device, or a device on another LAN(OPTx). Why do you think or need to do this using the WAN IP ?? Btw : for many users, the WAN IP can change very often ... I can access several local (LAN based) devices from my LAN, using a local device on the same LAN, or another LAN, all behind pfSense. When I'm on the road, I can use the exact same host name, and connect to my device just fine. Never had to use "Pure NAT" or some like that. True, a simple classic NAT rule is needed for my IPv4 devices, so I can connect when I'm on the road.

@rsc The source ports in the NAT rules have to be "any". They are dynamic.

@keyser Thank you for the suggestion. I did not think about terminating the DOH on the router. I use HA in house, so again, thank you for that. I do not think that my chosen DOH application supports the proxy protocol.. But that is then a different problem.. HA would change the first.. Thank you.

@johnpoz said in Dual Lan Access Each Other: But if you want to access lan from lan2, then yeah you would need to allow rule, 445 tcp should do it.

@xavier8854 The destination in the NAT rule has to be the WAN IP. Setting the same for destination and redirection makes no sense at all. Also ensure that in the WAN interface settings „block private networks“ is unchecked. On the router you have to forward the traffic to pfSense WAN address.

@vergil655 said in NAT Issuses: is there any solution to this problem ? What problem? Please show what you did, and your sniff showing that nat is still happening, etc. If I disable nat for an IP, and then sniff I can see it sending traffic without natting it. Here I created a no nat for my pc pinging 8.8.8.8 [image: 1665833756532-nonat.jpg] If I now sniff on my wan for 8.8.8.8 icmp I see this. And see from states that no nat was done as well. [image: 1665833929969-states.jpg]

@mcraven Most likely that your ISP is using a private address to serve your system a CG-Nat IP. There is a known problem with the implemented version of miniupnp, that disallows the use of private ip's for upnp on the wan side. If you check your system logs, you should be able to find the error. Port forward manually or 1:1 Nat is a work around for now.

@kruglerd Do you mean by hardcode a 1:1 NAT? Currently I have forwarded all of the ports: 5060+5061 and RTP range from 31000:32000 I have tried it with a fritzbox which forwards all the ports to the pfsense and I have tried a modem and setup pppoe on the pfsense. Both connections type I received the same error

@uglyxiaodi18 said in private network VM Unable to access public IP address: VM in private IP : 1.1.12.1 VM in private IP trying to access public ipv4 : 1.1.22.1 None of these IPs is private at all. However any VM in the private network is not able to access 128.199.117.134:80 If you want to access server, which the public IP is forwarded to, enable NAT reflection in the NAT rule. By default the NAT rule is only applied to the stated interface. NAT reflection applies it to the other interfaces as well.

@johnpoz Unfortunately no, but I ordered that mikrotik switch. Looking at compatible transceivers now as well. I'll be back on site before too long and can switch things over.

@viragomann Thanks. I will try this ;)

Outbound NAT was the key, thank you kindly. I added an Outbound NAT for the WAN interface, with the Source set to Network (172.16.81.x). Translation was set to Address = Interface Address.

@johnpoz hello sir actually just an example i quoted 30/8 but my ip actual settings belong to the rfc1918 standard i use 172.16.0.x for my pihole ip and at the moment its working i added rules from my office lan destination to pihole address, anyway thanks to you and someone input hearing about my concerns. thanks

@steveits I think that's exactly what I was up against. This is a production machine, and I didn't want to experiment too much. I'll be installing the Netgate hardware during one of the upcoming long holiday weekends, and expect that will go well. PfSense has always been bulletproof. The hardware, on the other hand (my hardware- not Netgate's) has had occasional issues. Thanks again, Steve!! Peter

@RobH-0 my apologies I have been away. Here are the screenshots [image: 1663878377390-wan.png] [image: 1663878377312-192.png] [image: 1663878377226-wan_rules.png] [image: 1663878381817-0lannet.png] [image: 1663878381733-10gib.png] [image: 1663878381648-lan_rules.png]

@johnpoz Many thanks ! thats perfect. Alain