@pacopito22
Yeah, agree. It should use the VIP on WAN.
You should reboot pfSense after adding outbound NAT rules.
Maybe it also helps to kill the states.

But the ping is not going to port 8080. This is TCP protocol as the state table is showing. Ping uses ICMP.

@rafamello said in Pure NAT:

For this to work I have to enable Pure Nat in :
System / Advanced / Firewall & NAT, correct?

Technically, that setting applies to ALL rules. If you only want reflection on some rules, you can leave the above disabled and on that one NAT rule change "NAT reflection" from "system default" to one of the Enable options.

@akuma1x Yeah - posted on the forum but no reply yet.....ive loaded wireshark on but still working out how to use it...!

Just gave pfsense a shot.
MIgration of my current setup with Plex and all, but after setting up pfsense and port-forward to Plex, I ran into a problem.
Remote access didn't work. Tautuilli couldn't verify the PMS.

I tried all suggested methods - uPnP - Port Forward in-out - Custom Option private-domain . . e.t.c. -> no luck.

Too much work at the very beginning of a clean install with 1 (one) port forward to work, that doesn't.

@comfy Fixed my own problem last night...seemed to be something on my managed switch which was stopping the traffic - transfered to an unmanaged switch and it started working.

@rlmalisz said in Cannot reach DMZ servers via external addresses:

setting NAT reflection

There is another solution, no reflection needed.
Use a "host override".

On the outside, the Internet, mail.yourserver.tld point to your (a) WAN address.
On the inside, a "host override" like a.spanou@add-assoc = IP address makes all your internal mail clients happy.

@viragomann
OMG I feel so stupid. I forgot that I had to put in https in the address instead of http. Thanks for all of your help.

@phlmike The same format of file? I would think so.

That doc page says, "For a URL Table alias, the drop-down list after the / controls how many days must pass before the contents of the alias are re-fetched from the stored URL by the firewall. When the time comes, the alias contents will be updated overnight by a script which re-fetches the data."

Thank you for your response.
I set the p2 to use a single address for NAT/BINAT translation and it works perfectly!
Thank you!

@inukollu
You can use any address you have assigned to pfSense interfaces for outbound connection.

However, I don't see why its not possibly to go out with the default WAN IP, even if it's private. Seems something on the ISP site.

To change the outbound source address you have to configure a rule in Firewall > NAT > Outbound.
I guess, you might have already have switched it to the hybrid or manual mode and added rules for the LAN network to get the outbound work.
So also add a rule for the source 127.0.0.0/8 to WAN interface and set any of your public IPs for translation.

@butlercn said in Port Forwarding DNS (only) is dead! v.2.6.0:

I have removed all non-essential packages. I have deleted and recreated the configuration multiple times.

Have you tried the most hidden solution, the one that ctually always works :
After a fresh install of pfSense : do nothing. Do not even change the password, just do plain nothing. Dont even run the the initial Wizard who makes pople think they have to give DNS servers because that is not the case.
pfSense has a resolver, so it works out of the box. DNS will work out of the box.

@butlercn said in Port Forwarding DNS (only) is dead! v.2.6.0:

My port forward to my DNS server isn't working.

You have DNS resolver or forwarder on your LAN that you want to use ?
Like a pi-hole or something ?
Or do you have contract with 9.9.9.9 and they want all yuor private DNS requests ?
Why do you think you need a DNS to forward to ?

@butlercn said in Port Forwarding DNS (only) is dead! v.2.6.0:

I have three other port forwards that are still working, but not port 53.

You forward port 53 from where to where ?
You forward UDP, or TCP, or both ?

@butlercn said in Port Forwarding DNS (only) is dead! v.2.6.0:

I run an external port scan

DNS traffic is outbound, not inbound ....
Right ?

@butlercn said in Port Forwarding DNS (only) is dead! v.2.6.0:

I have double-checked with my ISP to make sure they're not blocking it. NO JOY.

They wouldn't do that.
Blocking your "UDP port 53" access to the Internet is nearly the same as cutting the WAN wire.

@butlercn said in Port Forwarding DNS (only) is dead! v.2.6.0:

Could there be an issue with the latest release (2.60)?

Yep, No yoke. There is one.
If you use the captive portal, and you use limiters ( see the many recent forum posts about this subject) then it might look like the resolver isn't working an ymore. This means : no more DNS.
Work around : remove all limiters.
If you use the captive portal : install
8aaa7629-91fb-4536-8fc7-fe905df5835f-image.png

and apply the build in Captive portal patch.

@bmcneil
There is nothing special with multi WAN, except the failover group.

When your WAN are configured as DHCP client, the gateways are set automatically. Otherwise with static IP state the gateway in the interface settings.

For the failover group go to System > Routing > Gateway Groups and create a new group wherein you set the preferred gateway as Tier 1 and the second as Tier 2.The trigger level "member down" should fit your needs. State a name for the group and save the settings.
Then go to the gateways tab and set the failover group as default gateway and save this.

The proper outbound NAT rule should be added automatically by pfSense for both WANs, if the NAT is in automatic mode.
With this settings you should already have internet access from inside your network over both WANs.

For accessing your pfSense from the internet in case of a failover you have to switch the WAN IP on the client side. For instance you can use DynDNS which can be updated with the actual working WAN IP by pfSense.

A VPN client like OpenVPN is also capable to switch the server IP itself if one is not responding. So you can also use static IP or host names here.

@kilogica said in Reach LAN from WAN through ISP router and VPN:

Otherwise, could it be safer if I'll leave the router IP out of the rule?

As there is no need to give the router (or the ISP coming in through it) any access to your network that's a good decision in my opinion.

If I understood the basics, masquerading makes all the packets forwarded as they're coming from my ISP router IP, if I block the access to the LAN behind pfSense to that specific IP it may be good, right?

This all depends on how your router works, if it does masquerading on inbound traffic or not. If it does there should be an option to disable it, but I don't know.
Imagine it does, then the block rule would block forwarded VPN traffic as well. So you will have configure your rules in a proper order to pass what you need and block the rest.

So just check out if the router does masquerading. Forward traffic to pfSense WAN IP. Then start a packet capture on pfSense WAN (Diagnostic > Packet Capture) and trigger a traffic from outside.

@keyser
Thanks for that!
I think I know now which way to go.
Will do the testing next week in my Lab before changing the customers configuration.