@combat_wombat27 said in Just trying to forward 443 to an internal server: both of those match the one I'm using and see in pfsense for the WAN side. Huh - look in your state table for the source IP that is talking to your 192.168.1.4 -- filter on that.. You really should update 2.4 has been eol for awhile.

@modesty Maybe the NAS blocks access from outside now. To investigate run a packet capture on the NAS facing interface, filter the port for 7172 and try to access it from outside. Check if you see request and also response packets. If there is nothing run a capture on WAN.

@skilledinept “back away slowly“ as they say. I recall now when I first set up HE I had to reboot for it to work. Reproduced, entered bug report, and couldn’t get it to happen after that.

@aadrem said in Nat does not work with IP pool: I checked the advance configuration of PF sense and I discovered that reply-to was disable in that section. To be honest, I didn't think of this option, since it isn't disabled by default. But I'm glad that you got it working.

hello I'm new to this Pfsense thing and I am having trouble as well. I'm not network savvy like you guys but I'm ok at it. Description about my set up is a PPP0E connection like this: nbn box >pfsense > switch > to other devices(plex,tvs,PS,PC,etc). my problem is i cant get any ports to open status. under: -Interfaces/WAN i have *Block private networks and loopback addresses *Block bogon networks (both ticked) [image: 1656760572017-untitled0.png] -System/Advanced/firewall & NAT i have *Pure NAT Enable *Enable automatic outbound NAT for Reflection (ticked) [image: 1656760621398-untitled1.png] but my NAT Rule for my plex server will not open or any port that i try to create in fact [image: 1656760667515-untitled.png] even this Outbound settings [image: 1656761012248-untitle.png] all i want is for plex media server and PS4 ports to be open. am i doing something wrong, also if you ask me to do that capture thing, your going to have to walk me though it lol...!!! please help i have been scratching my head at this for days now and hope its an easy fix...!

Update: Speaking to Chelsio support, they suggested setting "hw.cxgbe.buffer_packing=0" in "loader.conf". This resolved my issue.

@johnpoz Sorry I didn't get back to you sooner, I ran out of time to trouble shoot and ended up spinning up a quick ubuntu instance and doing a DNAT using IP tables. I did run through your example without success, I could see the messages hitting the destination on the correct port but it wasn't replying for whatever reason. Seems to work fine using a IP table, I guess the DNAT is successfully making it appear as the messages are originating from the 110.0 subnet and satisfying whatever siemens have going on.

@johnpoz thanks for the advice. I'm not a pro that's why I'm asking for help to people that is actually doing it and tried to do it before. And also want to learn more about the process involved behind all these. Thanks again

@demux AT least if client and server are connected to the same interface (request are coming in and going out on the same interface) pfSense turns the source IP into its interface IP. If they are connected to different internal interfaces it might be the origin source IP, don't know. But it's never the WAN address.

@easy-hostingnz It defaults to disabled. Enabling it there enables reflection for all rules. Alternately you can edit a NAT rule and change NAT Reflection from "system default" to enable it. Reflection sends that connection/traffic through the router, while split DNS doesn't use the router because the devices uses a LAN IP. If the NAT doesn't translate ports then either will work.

@kom As it happens I started at step one, describing deleting and starting fresh each offensive rule. I also ensured to add logging to the WAN firewall rule that is automatically generated. I'm not sure how that should've helped but it has seemingly solved the issue. I have yet to be able to try logging into the host from an actual outside source but so far the program used to log in has a browser method that seems to be different from connecting via LAN. Thank you again, I'll be leaning heavier into the documentation in the future.

@hrustakv I fixed the problem. I didn't have a bridge built over the WAN, only on LAN ports. :)

This is exactly what I had tried to do, as this has always worked in previous versions. However, I can configure this in whatever VPN tunnel, but it is not applied. The pfsense acts as if the P2 does not exist and I see that no NAT is applied. I can't find any error in the log files either. Doesn't anyone else have this problem, I can't imagine it. Especially since my configuration for the PFSense is now also not so very extensive.

@kiokoman Automaticaly generated, dont edit manually. Generated on: 2022-06-03 22:53 global maxconn 1000 stats socket /tmp/haproxy.socket level admin expose-fd listeners uid 80 gid 80 nbproc 1 nbthread 1 hard-stop-after 15m chroot /tmp/haproxy_chroot daemon server-state-file /tmp/haproxy_server_state listen HAProxyLocalStats bind 127.0.0.1:2200 name localstats mode http stats enable stats admin if TRUE stats show-legends stats uri /haproxy/haproxy_stats.php?haproxystats=1 timeout client 5000 timeout connect 5000 timeout server 5000 frontend frontend80 bind xx.xx.xx.xx:80 name xx.xx.xx.xx:80 mode http log global option http-keep-alive timeout client 30000 acl expressite var(txn.txnhost) -m beg -i www.expresxxxx.com acl expresmail var(txn.txnhost) -m beg -i mail.expresxxxx.com acl ramsite var(txn.txnhost) -m beg -i www.ramxxxx.ro acl nappasite var(txn.txnhost) -m beg -i www.nappaxxxx.ro acl emisite var(txn.txnhost) -m beg -i www.emimaragro.ro acl expresrosite var(txn.txnhost) -m beg -i www.expresxxxx.ro acl rammail var(txn.txnhost) -m beg -i mail.ramxxxx.ro acl nappamail var(txn.txnhost) -m beg -i mail.nappaxxxx.ro http-request set-var(txn.txnhost) hdr(host) use_backend backend-http8080_ipvANY if expressite use_backend backend-http80_ipvANY if expresmail use_backend backend-http8080_ipvANY if ramsite use_backend backend-http8080_ipvANY if nappasite use_backend backend-http8080_ipvANY if emisite use_backend backend-http8080_ipvANY if expresrosite use_backend backend-http80_ipvANY if rammail use_backend backend-http80_ipvANY if nappamail backend backend-http8080_ipvANY mode http id 100 log global option log-health-checks timeout connect 30000 timeout server 30000 retries 3 option httpchk OPTIONS / server website 192.168.1.4:8080 id 101 check inter 1000 weight 250 backend backend-http80_ipvANY mode http id 102 log global timeout connect 30000 timeout server 30000 retries 3 option httpchk OPTIONS / server webmail 192.168.1.3:80 id 103 check inter 1000