I can register the client to the PBX. The problem is that I have no audio at all. Something with the RTP traffic. When I connect the PBX and client to openvpn I have no problems. Everything works. The problem arise when I try to use pfSense public IP. I think is something with the UDP Nat

@c-amie said in [Bug?] pfSense empirically causing legacy WordPress sites to fail: We have no control over what internal code to someone's WordPress site is doing. Valid point.. One way to fix it would be to put the servers actually on a public IP via routed network behind pfsense.

Hi, to complete the topic: the patch worked for me and solved the issue. Thank you

@mistermince Have you opened the ports on the firewall rules as well or just created the port forwarding rules? Can you post screen shots of you rules and port forwards?

FIXED: I don't know why and how to check more deeply this issue: Following the documentation, to standarize every config. With Redirect target IP 127.0.0.1 as shown on the picture below. All the DNS answers came from the LAN address (each vlan) [image: redirect_dns_port_forward.png] Fixed with: Redirect target IP LAN_XX address

@jarhead Ok, all good then. Thanks again for your help.

@dsmith10 Has anyone ever found the solution to this? I'm running into the same issue. Tailscale can't port translate automatically because we have a CARP IP for our LAN's gateway.

@viragomann Great tip, that's how it works for me. Thanks you very much for the effort!!!

It appears that "alias-on-given-port" is checked and the invert match of the same alias is ignored so it interprets the alias is used twice and throws the error. I ended up with a set up using pfBlocker that does work while using invert match on an alias, but it works within the constraint above. ListA - US ListB - blocked geo Technically, outside of these two would be the rest of "all". Setup: ListA on port 80 -> machineA port 80 ListA on port 443 -> machineA port 443 !ListB on port 80 -> machineB port 80 !ListB on port 443 -> machineB port 443 @johnpoz The documentation might need to include a note that pfSense does not interpret the invert match of an alias to be a unique from the alias. The invert match on ListB above is ALL, like you suggested, but without ListB. Thanks again!

@antiquity2489 I can't but UPnP never was a strength of *Sense. So you better make a port forward yourself.

It has been broken for many years now, so another couple of years doesn't sound too terrible in that perspective. Still, it sucks :(

@stephenw10 @viragomann through VPN it worked fine. Spent 40 mins and issue solved. Just to update. Thanks you guys for help anyway

So this is embarrasing... I have a Mail server that I recently changed the password on my mail account for, this Mail service runs on my home-server. I got a scheduled powershell script that goes through the logs of this mail service and automatically blocks incoming connections from IP addresses that try to brute force-login or use my mail server as a forwarder. (fail2ban script I made in powershell) Apparently, since I changed the password to my account, my Gateway-iP (192.168.10.1) was blocked by this script, probably because I had not changed it on my phone. so it was not NAT reflection that was broken, it was my windows firewall... will change the powershell script now, to not block my gateway IP :) also going back to the Ubiquiti Router, as I was able to get IPsec to work there, while I find it very advanced for pfsense

@chstechsolutions said in Outbound Nat only 1/2 working: I can run curl api.ipify.org and I get IP address 2 but when I send an email from the server all the headers say it is coming from IP Address 2. Isn't this what you want and what the outbound NAT rule is meant to do?

@wolf3000 They are probably using proxy arp That was discouraged a long time ago, for security reasons. Why would you want that feature ? If using DHCP the PLC should also accept the def-gw info handed out. If using Static IP, it's just one more entry to key in. The whole point of using a firewall is to be "In Control", and not rely on some (could even be a hostile) device, forwarding your packets based on unanswered arp requests. /Bingo

@steveits said in 1:1 Nat routing back to firewall: But he's trying to access the WAN IP from LAN. That seems to me like it needs reflection to work. Yes, you're right. I didn't read correctly. @trever But why are you using the external IP for accessing an internal device? The suggested way is to access it using an FQDN together with internal DNS host overrides. So from within your network the FQDN is resolved to the internal IP and accessing it should be work without NAT reflection.

@steveits Thanks for your reply. I finally figured it out. Quite obvious now that I see it. The ATT box's programming for the "pass-through" mode requires you to enter the MAC address of the NIC that the traffic is being forwarded to. Since the router hardware had changed, of course the MAC had changed. Duh...

@townsenk64 yep, known issue https://redmine.pfsense.org/issues/13126 fix should be in the next snapshot or you can use system patches to apply the commit now