@vitozzo It's quite simple. Post you 1:1 rule please. For troubleshooting use Diagnostic > Packet Capture. Sniff the traffic on WAN. Check out the IPs of www.myip.com and enter them in the Host box (multiple separated by "|"). Start the capture and try to access www.myip.com from the internal device. You should see the packets going out with the source IP you stated at external in the 1:1 NAT rule.

@boeingpilot Also consider the option to set up a second OpenVPN connection. I'm thinking to run the server on the VPS, since it has a static IP. However, the rule setup I mentioned above has to be exactly the same. I was assuming, you need incoming connections only on the SMTP server. If you also need outbound using the VPS IP, you have to configure a CSO for the VPS client on the home pfSense, when using only one (multi purpose) server to let OpenVPN know the proper route. And you will have to policy route the servers outbound connections to the remote site. Additionally on the VPS you would need an outbound NAT rule for the SMTP server.

@narrington haproxy could do this for you.. here is a google result that looks to be current version of pfsense and use of haproxy as load balancer https://getlabsdone.com/how-to-configure-pfsense-load-balancer-using-haproxy/

@johnpoz yeah don’t worry I know they’re not the same but I’ve even tried to route through internally through PFSENSE by the host overrides and still nothing I am baffled

@stephenw10 Figured out the issue! NAT 1:1 is indeed correct but i forgot to put the firewall rules in need inbound from WAN!

Hi johnpos, I completed the NAT Reflection setup. It works as advertised both on Port Forward and 1:1 NATs Perfect result. Thanks

@steveits I'm looking at not trying to use WAN2 address. I'm wanting to use the VIP assigned under the primary WAN. As I understand it, the VIP won't actually be affected unless the interface itself goes down? As for the outbound, its a similar scenario, I'm wanting to use the same VIP regardless of the interface its sent out. End result being, regardless of which interface is primary for sending out traffic, I want it to always be seen from a specific VIP that is associated to the 10.0.0.x network.

@sdockter Setting a gateway in the WAN rule is really a bad idea. The gateway option in firewall rules is meant for policy routing of outbound connections and instructs pfSense to pass all matching traffic to this gateway. So this rule will pass no packets behind pfSense in your setup.

@noahbb89 said in Port Forwards Again: So the 525 to 3389 is a redirect. No that is not a redirect... You have the source port locked to being 525.. A redirect port would look like this, I direct 23040 externally to 32400 on the server internally. [image: 1642002394423-portredirect.jpg] Your buddy sure and the hell does not have the same setup - if he did his wouldn't work either.. Its that simple.. This is borked! [image: 1642002516900-wrong.jpg] Also you have a port forward on your WAN that says destination is the LAN address - how would that ever happen?? That forward says hey traffic coming into your Wan interface with a destination of whatever you LAN IP is - how would traffic hit your wan that has a destination of your LAN IP??? Lets say it some how magically did... Your then saying hey if the destination port is 3389 send it to 192.168.1.120 3389.. But ONLY if the source port of the traffic is 525.. How and the hell would any of that ever happen?? If you want to redirect traffic hitting 525 on your wan to 192.168.1.120 3389.. The port forward and firewall rules would look like this. [image: 1642003369949-correctredirect.jpg]

@panzerscope Yup or put pfsense wan IP in the dmz host role so that all traffic is forward to pfsense... Or put that device in bridge mode, so it doesn't do nat, etc. Impossible for pfsense to send anything to your plex, if it never sees the traffic because the device in front of pfsense is not sending it on to pfsense.

@johnpoz said in Port 80 not forwarding: But again wouldn't not say getting a Refused is valid test that pfsense sent on the traffic.. Maybe your ISP is blocking that traffic and sending the RST. We've already established that my ISP is not blocking those ports, since I can get them to test as open, simply by running the associated service on my server. I appreciate your help, but I think I'm going to let this sit for a while, before I have a stroke. I may come back to it later. Thanks again.

@menethoran moved.. Where you thinking outbound nat, 1:1 nat? I am not sure.. But if something is behind pfsense on port xyz, and you want something to hit your pfsense wan IP on port, and get forwarded to say 192.168.1.100:abc - then port forward is the common term used https://docs.netgate.com/pfsense/en/latest/nat/port-forwards.html#port-forwards

@vmac Yes. It boils down creating an alias with the target ip's.

I am now just deciding if we should apply a dev version to our production kit or wait it out for a stable release of 2.6

@johnpoz said in Solved - Why can i access internet from a subnet not defined in outbound NAT ?: I see you did it correctly via a "transit" Yepp - I usually have a "Interconnect IF" on my fwalls , all external traffic enters there. Well besides WAN , and OVPN. Makes Security reviews smooth(er). /Bingo

@horizon82 said in UDP blocked - NAT reflection unable to connect over UDP: manual outbound and vpn had no impact It wouldn't have an impact unless you messed with them, or added another network and not an outbound nat and then wondered why it wasn't working ;) Its just bad setup to switch to manual, and then create the nat required for the vpn, when you could just add the hybrid nat for the vpn.. I don't use nat reflection, since in my opinion its an abomination to all things networking ;) Now in some instances true it can be useful. When some client is is hard coded to use a public IP, or when it is using external dns and no way to have it use internal for whatever reason. As to having to set a default gateway, might have to do with having a vpn setup which your pulling routes with and it gets set as the default gateway regardless of what might be shown in the gui.. Again more bad advice from the vpn providers - but then again they want you to send all traffic to them, not just the traffic you want to send.

@olddirtypossum said in Port Forwarding not Working: I have set up NAT Reflection Why ? You connect from the outside : you'll be using the (pfSense) WAN IP and a the UDP port. This port will get "natted" to the server LAN IP, using a (same or not) port, also UDP. Done. You connect from the inside : Just use the IP of the server. pfSense doesn't even come into play here, as it is a device to device connection. The 'use the WAN IP or WAN host name' on the LAN is not good practice. You could add a "DNS host override" on the Resolver settings page (bottom) : [image: 1640948793118-3b0daa09-6504-4f44-83c4-59b8843718e6-image.png] Now, when connected locally, LAN, the myserver.mypfsense.local will resolve to 192.168.1.10 (your craft server). From the outside myserver.mypfsense.local is your DynDNS that will resolve to your WAN IP. Btw : There can't be an issue that resists the Docs » pfSense software » Troubleshooting guide ;)

In case anyone sees this reply on this old post, I am having a similar issue, I did port forwarding for Minecraft Bedrock Server, Port 19132. Minecraft can see the server online and ping it but I can not connect to it. I have read through all of the Troubleshooting info from Netgate, I checked through several guides from others and all of the info was the same, so I believe I am configuring it correctly. I attempted dropping the TCP permission as Bedrock uses UDP, and I have added it back. I have set up NAT Reflection and tested the port on my Desktop and off the LAN with my phone on 5g, and still the port says closed. I have also rebooted the router. I was wondering if it had something to do with my server being in a Docker Container, but in general as long as the port is forwarded then I should be able to at least see it as open right?