@steveits said in How to forward calls/Nat from one vlan to another?: outbound NAT rule for the VLAN interface. https://docs.netgate.com/pfsense/en/latest/nat/outbound.html#working-with-manual-outb Will give that a try. I set up an outbound Nat once, but I could not get it to work. Could have been something about the way I set it up, as I am still learning pfsense. Thanks.

@gertjan Hi so actually, the author of this book has some custom scripts on his website. This is to make the process easier for configuring the firewall. So i went ahead and uploaded a custom script with all the settings i need. However, my issue now is that in the "status" of "OpenVPN" is never showing as "up". It is either "pending" or "down" or "failed". See[image: 1662403156961-screen-shot-2022-09-05-at-11.38.37-am.png] : Part of the additional instructions is to designate a custom server IP address from my ProtonVPN service. Basically you choose a server from a list on ProtonVPN's site, and then download a file. I was instructed to open it in a text editor and identify the IP address and manually enter it. That way all my internet traffic is being routed through that specific server. However, in the file looks like this: [image: 1662402575356-screen-shot-2022-09-05-at-11.29.19-am.png] If i enter any of those full IP addresses, it gives an error, saying its no t a valid address. When i use the root address 156.146.54.97, it will accept it. So i'm not sure if that is correct or not. In the end, my status on OpenVPN is not showing "up" and thats the end goal according to my instructions. Any ideas?

SystemAdvancedFirewall & NAT "NAT Reflection mode for port forwards" > Set it to "Pure NAT" Enable NAT Reflection for 1:1 NAT > YES Enable automatic outbound NAT for Reflection > YES Then you can access the Service with external IP also from LAN

@bob-dig Thank you! I replaced the pfsense 2.6.0 VM with a new one running pfsense 2.5.2 and the internet speed blistering fast now.

@eeebbune 1:1 NAT forwards all ports. If you are trying to get to your server from LAN using the public IP address, you'll still need Reflection enabled (see "Enable NAT Reflection for 1:1 NAT"). I would get it working from outside first, then worry about the LAN. BTW, for 1:1 NAT you don't need to configure Outbound NAT. https://docs.netgate.com/pfsense/en/latest/nat/1-1.html "All traffic originating from that private IP address going to the Internet through the interface selected on the 1:1 NAT entry will be mapped by 1:1 NAT to the public IP address defined in the entry, overriding the Outbound NAT configuration." @eeebbune said in Help me to understand NAT configuration (1:1 & Outbound + PortForward?): allow any to server IP with all port rules to both WAN/LAN rule tabs If I'm reading that correctly and you've allowed all traffic to the server on WAN, when using 1:1 NAT that includes all ports, so SSH, HTTP, SMTP, FTP, NetBIOS, remote connections, etc., etc. I would really recommend against that and only allow the necessary traffic. See https://docs.netgate.com/pfsense/en/latest/nat/1-1.html#risks-of-1-1-nat

@bob-dig Thank you so much, That solved it.

I found this link Multi-WAN and NAT that says you need a separate forward entry for each WAN. It just seems onerous since I have a lot of entries. It would be great if the interface could create the multiple entries at the same time, but then we would manage them as separate entries. It wouldn't seem that hard to add to make this process easier.

@bob-dig Thanks!

@johnpoz The ridiculous thing is that I wanted to use HAproxy (with Acme for certs) to keep all networking inside my PFsense system. I had some difficulty with HAproxy (probably my own fault either with HA or the service setup I was forwarding to) A great deal of the information I got from the internet said "Nginx" or "Traefik" were the way to go, so I tried Nginx. I'm going to take your suggestion of packet capture on both sides. After that I might just shutdown Nginx and return to HAproxy (w/Acme) and try to figure out the proxy/ports.

What type of misconfiguration can cause these issues? I'm actually quite doubtful about my network, because on some parts of network we are using hubs (unmanaged switches). Can improper isolation of vlans be the cause of problem ?

@bigunit99 I see, but it’s usually desired to see the origin IP address, to know where the request is coming from. However, if you don’t care about that you can also masquerade inbound traffic by an outbound NAT rule. You have to add it manually though. To do so, switch over the outbound NAT to hybrid mode. Then add a rule: interface: LAN Protocol: TCP or whatever you need Source: any destinations: LAN net or an alias which includes the desired IPs destinations port : any or an alias which includes the ports you need Translation: interface address

@usereric that is works at all is surprising because your 1st hop is 192.168.1/24 and your second hop is also a 192.168.1 address. If your ISP device is going to hand out 192.168.1 addresses, you should set your pfsense lan to be something different say 192.168.2/24 ATT fiber might have a IP passthru mode.

@lburns Just read the first reply. It explains how to do it.

@johnpoz OK I understand, thanks. Yeah, so a traceroute to 8.8.8.8 would help the ISP find where it is blocked. Unless they know and are being jerks...because pretty much any router will have security updates.

MY misstakes, tested from the wrong machine. Everything is working fine :P

@lonmarlon Set the hostname to resolve to that public IP...? Or if it is already set, then likely the webmail server isn't set to use that hostname. Unless you've installed a reverse proxy, there's nothing in pfSense that knows what hostname was used. The packet arrives for IP "n" and pfSense processes it.