@steveits Figured it out. The lan is the "wan" of the Unifi gateway device that runs the internal network. NAT was enabled there so everything coming to the pfsense lan was natt'ed... disabled that NAT and everything started working.

@viragomann aaaaaah ... that could be the prob ... sure there are routes pushed by the openVPN server and they are already listed in the routing table of our pfsense (pfsense indeed is the openVPN client in this cas) ... so i will click that "dont pull routes" than probably reconnect if its not done by its own ... so now the tunnel_destinations dont appear in the routing table anymore and ALL clients will go via default WAN to those ips ... then i've added a rule to LAN which again put in the 2 conditions allowed_hosts and tunnel_destinations using vpn interface et voila ... seems to work =) thanks @viragomann & @Bob-Dig

@steveits That was it, i forgot to add the www one. Thanks mate, truly saved me alot of hassle.

@wherewolf Virtual IPs and Aliases are basically different things at all. Virtual IPs can be assigned to interfaces as additional IPs. In your case type "IP alias" is the best to be to use here, but also others would be possible, e.g. CARP. If they are not CARP themself, they have to be hooked up on the primary CARP VIP for the failover to work. Aliases of type IP in this case is an independent array of IP addresses. It doesn't matter if these are assigned to an interface or not. They can be used in firewall or NAT rules.

How many clients in the 172.16.81 network need to access the 10.1/16 ? If it's not many, why not just use a static route for them, and they connect using the real destination IP.

@georgelza said in pfsense and Synology port forwarding: below a block all. Normally, that's a good thing, placing a final block all rule on WAN. But that rule won't be the final rule, there is another one, hidden, on every interface, and it block everything. When you create a NAT rule, and you have your own home made block all rule on WAN, then you need to re order the auto created firewall rule on WAN above your own block rule. Otherwise, your NAT rule might be perfect, but .... it will not work fro 'some' reason. I know, as the same thing happens to me while preparing the NAT demo for you yesterday ;) ( I actually ditched my final block-all rule on LAN so it won't happen again if I have to crate a NAT rule )

System>Advanced>Firewall & NAT Firewall Maximum Table Entries=10000000 Firewall Maximum States=300000 pfBlocker no longer preventing completion of Filter Reload

@steveits said in How to forward calls/Nat from one vlan to another?: outbound NAT rule for the VLAN interface. https://docs.netgate.com/pfsense/en/latest/nat/outbound.html#working-with-manual-outb Will give that a try. I set up an outbound Nat once, but I could not get it to work. Could have been something about the way I set it up, as I am still learning pfsense. Thanks.

@gertjan Hi so actually, the author of this book has some custom scripts on his website. This is to make the process easier for configuring the firewall. So i went ahead and uploaded a custom script with all the settings i need. However, my issue now is that in the "status" of "OpenVPN" is never showing as "up". It is either "pending" or "down" or "failed". See[image: 1662403156961-screen-shot-2022-09-05-at-11.38.37-am.png] : Part of the additional instructions is to designate a custom server IP address from my ProtonVPN service. Basically you choose a server from a list on ProtonVPN's site, and then download a file. I was instructed to open it in a text editor and identify the IP address and manually enter it. That way all my internet traffic is being routed through that specific server. However, in the file looks like this: [image: 1662402575356-screen-shot-2022-09-05-at-11.29.19-am.png] If i enter any of those full IP addresses, it gives an error, saying its no t a valid address. When i use the root address 156.146.54.97, it will accept it. So i'm not sure if that is correct or not. In the end, my status on OpenVPN is not showing "up" and thats the end goal according to my instructions. Any ideas?

SystemAdvancedFirewall & NAT "NAT Reflection mode for port forwards" > Set it to "Pure NAT" Enable NAT Reflection for 1:1 NAT > YES Enable automatic outbound NAT for Reflection > YES Then you can access the Service with external IP also from LAN

@bob-dig Thank you! I replaced the pfsense 2.6.0 VM with a new one running pfsense 2.5.2 and the internet speed blistering fast now.

@eeebbune 1:1 NAT forwards all ports. If you are trying to get to your server from LAN using the public IP address, you'll still need Reflection enabled (see "Enable NAT Reflection for 1:1 NAT"). I would get it working from outside first, then worry about the LAN. BTW, for 1:1 NAT you don't need to configure Outbound NAT. https://docs.netgate.com/pfsense/en/latest/nat/1-1.html "All traffic originating from that private IP address going to the Internet through the interface selected on the 1:1 NAT entry will be mapped by 1:1 NAT to the public IP address defined in the entry, overriding the Outbound NAT configuration." @eeebbune said in Help me to understand NAT configuration (1:1 & Outbound + PortForward?): allow any to server IP with all port rules to both WAN/LAN rule tabs If I'm reading that correctly and you've allowed all traffic to the server on WAN, when using 1:1 NAT that includes all ports, so SSH, HTTP, SMTP, FTP, NetBIOS, remote connections, etc., etc. I would really recommend against that and only allow the necessary traffic. See https://docs.netgate.com/pfsense/en/latest/nat/1-1.html#risks-of-1-1-nat

@bob-dig Thank you so much, That solved it.

I found this link Multi-WAN and NAT that says you need a separate forward entry for each WAN. It just seems onerous since I have a lot of entries. It would be great if the interface could create the multiple entries at the same time, but then we would manage them as separate entries. It wouldn't seem that hard to add to make this process easier.

@bob-dig Thanks!