@viragomann So I just took another look and I think I can confirm that the packets do go back over the ISP network (because I see that the packets try to go through my ONT in both directions) - thanks Yes, I noticed this and it's quite strange to me. I'd had ideas for reasons if it would behave the other way round. The main reason why I tried TCP in the first place was because I saw this post on serverfault. I don't think the scenario is quite the same, but it's the only thing I've found on the internet that had any semblance to my issue (where the port #s change): [image: 1659730527807-65d9f08d-212c-4fea-907e-4511765fc9a7-image.png] Since you don't provide IP addresses, I'm missing the needed information to investigate. Here's the previous packet capture of when I tried to connect to the VPN server from within the ISP network (where pfSense WAN IP is 50.x.x.x, the ISP WAN IP is 75.x.x..x): [image: 1659730720166-0b611736-20e8-4962-833d-87b604ed0e08-image.png] And here's the packet capture when I connect to the VPN server from an external network (where 207.x.x.x is the IP of the external network): [image: 1659730980277-3db70683-6491-4481-920d-ba53f95243d0-image.png]

thanks dear its working now.

@bibawa said in Redirect internal Ip > External: it's not possible to change the ip address in the code I find that hard to believe - where did this app come from, written in house and now the writer is no longer with the company? Should of pointed to fqdn not some IP. Anyway - assume your pfsense has an IP on this 192.168.6 network? If so then create a vip so it answers arp for 192.168.6.13 Then create a port forward sending the traffic where you want to send it. If the sender is on a different network that routes through pfsense say the client it on 192.168.5/24 for something then you do not need to create the vip.

@johnpoz sorry sir, I forgot to give the example, but the topology I made remains the same as drawn, it's just that I recreate the VM with a different IP. No sir, I installed the IDS/IPS on pfsense, and Snort/Suricata will secure the network (intrnet1), namely the web server itself. I've added a topic to the link you provided, please respond back, sir

@sensewolf said in Need to convene the brain trust on DNS rebinding issue: What I am saying is that pfSense should tell server1 server2's private IP when server1 looks for server2.example.com. But pfSense doesn't. Huh?? If you setup a host override for server2, any client that asks pfsense would get that response.. As already stated if your unbound is getting that address from some other NS, and its rfc1918 then it would be a rebind.. You can set the domain example.com to be set as private, and then it would hand the client the rfc1918 just fine.. example of this plex uses a special fqdn to find the IPs of your server, be it public address and its local rfc1918 address.. So you set this domain as private in unbound custom option box private-domain: "plex.direct" And now it can find the rfc1918 address. That it got from public NSers out on the internet

@pop69er said in Using external ip/domain to access lan computer inside lan: the domain address is jer-bear.ca. I don't understand the term "I cannot access my LAN computers from my domain name address". I have no idea what you mean with "from my domain name address" in this context? Your outbound NAT rules might not be responsible for this issue, I think. But there are some useless and wrong rules, which you can remove to clean it up. You can remove the rule numbers: 1, 3, 4, 6 (all WAN rules). All these rules are also automatically created by pfSense as seen below. So only the rules for the VPN interfaces are still needed. As the automatic rules show, you have two local networks: 192.168.10.0/24 and 192.168.15.0/24. But at this time you have only for the first one rules on the VPN interfaces. If you also direct traffic from 192.168.15.0/24 out to the VPN connection you need to copy the rules for 192.168.10.0/24 and change the source network accordingly.

I update you, I actually rationalized the need ... the 192.168.30.x had to be the gateway for the 172 network, in this way the device that interfaces to the PLC network on 172 could actually route the traffic between the two networks . I really thank you for the speed and availability you gave me in your answers.

@mleighton Sorry, im just new here. Im using PFsense/NETGATE

@steveits That might just do it, thanks, will have a play with that, never noticed the option below regarding gateway on a rule. Just done some testing and looks good but need to do some more. Thanks for that.

@johnpoz said in Is there a bug with NAT? Just trying to redirect traffic from 1 IP to another, nothing works.: @genericuser8674 how is it a bug that it doesn't list any? That is not a "bug" that is a feature that is not available in that version. Post about a bug in 2.6 CE. Proceeds to test it on 2.7 and say iT's A fEaTuRe, NoT a BuG!

@combat_wombat27 said in Just trying to forward 443 to an internal server: both of those match the one I'm using and see in pfsense for the WAN side. Huh - look in your state table for the source IP that is talking to your 192.168.1.4 -- filter on that.. You really should update 2.4 has been eol for awhile.

@modesty Maybe the NAS blocks access from outside now. To investigate run a packet capture on the NAS facing interface, filter the port for 7172 and try to access it from outside. Check if you see request and also response packets. If there is nothing run a capture on WAN.

@skilledinept “back away slowly“ as they say. I recall now when I first set up HE I had to reboot for it to work. Reproduced, entered bug report, and couldn’t get it to happen after that.

@aadrem said in Nat does not work with IP pool: I checked the advance configuration of PF sense and I discovered that reply-to was disable in that section. To be honest, I didn't think of this option, since it isn't disabled by default. But I'm glad that you got it working.

hello I'm new to this Pfsense thing and I am having trouble as well. I'm not network savvy like you guys but I'm ok at it. Description about my set up is a PPP0E connection like this: nbn box >pfsense > switch > to other devices(plex,tvs,PS,PC,etc). my problem is i cant get any ports to open status. under: -Interfaces/WAN i have *Block private networks and loopback addresses *Block bogon networks (both ticked) [image: 1656760572017-untitled0.png] -System/Advanced/firewall & NAT i have *Pure NAT Enable *Enable automatic outbound NAT for Reflection (ticked) [image: 1656760621398-untitled1.png] but my NAT Rule for my plex server will not open or any port that i try to create in fact [image: 1656760667515-untitled.png] even this Outbound settings [image: 1656761012248-untitle.png] all i want is for plex media server and PS4 ports to be open. am i doing something wrong, also if you ask me to do that capture thing, your going to have to walk me though it lol...!!! please help i have been scratching my head at this for days now and hope its an easy fix...!

Update: Speaking to Chelsio support, they suggested setting "hw.cxgbe.buffer_packing=0" in "loader.conf". This resolved my issue.

@johnpoz Sorry I didn't get back to you sooner, I ran out of time to trouble shoot and ended up spinning up a quick ubuntu instance and doing a DNAT using IP tables. I did run through your example without success, I could see the messages hitting the destination on the correct port but it wasn't replying for whatever reason. Seems to work fine using a IP table, I guess the DNAT is successfully making it appear as the messages are originating from the 110.0 subnet and satisfying whatever siemens have going on.