@martijnvw pfSense is really quite flexible but not so much a "click a checkbox" type of system. Give it some time and I expect you'll like it. And learn a lot as you said. :)

@viragomann said in Port forwarding problem (I did try following the troubleshooting guide): Run Diagnostic > Packet Capture on WAN and initiate an access from outside to check out, if the DMZ is working. From what I see til now, I don't think so. Problem solved, my ISP enabled DMZ on the wrong router (that I have an account for). Cleared up the router details, DMZ now working and port forwarding works perfect. Thank you for your time!

@seantree After removing the check and saving the interface settings, the block rule should be gone from WAN. Additionally you need a pass rule for allowing the access. However, this should be added automatically by the shown port forwarding rule. Consider that Quick floating rules ca override interface rules.

@felixcda That sounds like the HA setup has its own problems. Scan through the troubleshooting doc and maybe start another thread. You should be able to put the primary in persistent maintenance mode, or shut it off, and the other take over seamlessly. And go the other direction. I do it all the time and it's how updates are done. Your two routers are identical?

Make sure you are allowing your WAN to talk to private ip space. Click on Interfaces, then on WAN, scroll down to the bottom for this: [image: 1650086644664-private_ip.png] If that's checked you are going to have a hard time talking to the external non routable IPs. This particular problem has tripped me up many times over the years when I forgot about it.

Got it! [image: 1650075752016-hq_port_pass.png] I could see the port passing in on HQ. But still no dice. [image: 1650075772951-branch_missing_port.png] I added this accept rule on the Branch side and now it talks! Took me some wandering but now I understand. Thanks @viragomann !

Ignore. I blundered my way through getting it right. Thanks for your time. --Richard

@pacopito22 Yeah, agree. It should use the VIP on WAN. You should reboot pfSense after adding outbound NAT rules. Maybe it also helps to kill the states. But the ping is not going to port 8080. This is TCP protocol as the state table is showing. Ping uses ICMP.

@rafamello said in Pure NAT: For this to work I have to enable Pure Nat in : System / Advanced / Firewall & NAT, correct? Technically, that setting applies to ALL rules. If you only want reflection on some rules, you can leave the above disabled and on that one NAT rule change "NAT reflection" from "system default" to one of the Enable options.

@akuma1x Yeah - posted on the forum but no reply yet.....ive loaded wireshark on but still working out how to use it...!

Just gave pfsense a shot. MIgration of my current setup with Plex and all, but after setting up pfsense and port-forward to Plex, I ran into a problem. Remote access didn't work. Tautuilli couldn't verify the PMS. I tried all suggested methods - uPnP - Port Forward in-out - Custom Option private-domain . . e.t.c. -> no luck. Too much work at the very beginning of a clean install with 1 (one) port forward to work, that doesn't.

@comfy Fixed my own problem last night...seemed to be something on my managed switch which was stopping the traffic - transfered to an unmanaged switch and it started working.

@rlmalisz said in Cannot reach DMZ servers via external addresses: setting NAT reflection There is another solution, no reflection needed. Use a "host override". On the outside, the Internet, mail.yourserver.tld point to your (a) WAN address. On the inside, a "host override" like a.spanou@add-assoc = IP address makes all your internal mail clients happy.

@viragomann OMG I feel so stupid. I forgot that I had to put in https in the address instead of http. Thanks for all of your help.

@phlmike The same format of file? I would think so. That doc page says, "For a URL Table alias, the drop-down list after the / controls how many days must pass before the contents of the alias are re-fetched from the stored URL by the firewall. When the time comes, the alias contents will be updated overnight by a script which re-fetches the data."

Thank you for your response. I set the p2 to use a single address for NAT/BINAT translation and it works perfectly! Thank you!

@inukollu You can use any address you have assigned to pfSense interfaces for outbound connection. However, I don't see why its not possibly to go out with the default WAN IP, even if it's private. Seems something on the ISP site. To change the outbound source address you have to configure a rule in Firewall > NAT > Outbound. I guess, you might have already have switched it to the hybrid or manual mode and added rules for the LAN network to get the outbound work. So also add a rule for the source 127.0.0.0/8 to WAN interface and set any of your public IPs for translation.