Maybe it can be useful to prevent configuration issues, clearing cache automatically after some functions made or every REBOOT.

I worked on this issue to find almost 1 month.

Thank you.

@gatenet well if you lan 1 devices that need to talk to lan 2 devices that point to 192.168.16.1 as their default gateway.

Just source nat your traffic from lan 1 so it looks like it comes from pfsense lan 2 IP via outbound nat on the lan 2 interface.

There may be a bug there but running without a default gateway is a bad idea and isn't doing what you think it's doing. Setting a gateway in rules only affects traffic for hosts on the local networks matching those rules, not the firewall itself. And doing that in outbound floating rules doesn't actually help move traffic out different interfaces in most cases.

The firewall itself always needs to have a default gateway. If it doesn't, services on the firewall can't properly get out to check for updates, install packages, DNS may fail, VPNs can't establish, etc. Some of that can be worked around with static routes for specific remote hosts but still, it's not ideal.

The "none" setting for default gateway is primarily intended for situations where the default is managed by BGP or OSPF, NOT for policy routing.

tl;dr; There may be a quirk there but you're running an unsupported configuration so not something that would be a priority to investigate.

@mcury Disabling the second rule gives me this message upon testing multiplayer connect: "It's all good There are no problems with your connection for multiplayer. If you're still having trouble, try testing your NAT type again. "
NAT detection returns Open still.
Thanks!

@johnpoz said in Incoming NAT to another router on same LAN:

But do you know what all public IPs will be that you forward to .100? Unlikely I would assume.

Ah, I had thought you meant our own public facing IPs. I can deal with this limitation whilst migrating though.

Thanks again for the assistance.

@pisistrato said in Port Forward/Rules to access web apps:

I guess I needed to reboot first

No you would not need to reboot.

@viragomann Pure NAT helped with the NAT problems we were having and I had to hit our RD Gateway server from the other networks was to hit the RD Gateway by its private IP.

I had to then replicate the same firewall rules we had going from WAN to Network A
Network B is allowed to hit 192.168.5.28 on Network A on 443, udp 3391 and 3389
Network C is allowed to hit 192.168.5.28 on Network A on 443, udp 3391 and 3389

Thanks

@viragomann There is not issue when you check from canyouseeme.org when you do the test from any connection, you will that the port is open, except you will won't be able to reach from Kacific internet when you try to connect to my commfort server from commfort client with kacific.

kacific.PNG

@brk Ah - you could also just set a hybrid entry for the networks you don't want to nat.

@bgachenot said in LAN > Split DNS > WAN issue:

A drawback of doing this would be that, when connected to my network with VPN, I couldn't access the gitlab UI anymore (because HSTS enabled)

Not clear, why HSTS is an issue. Don't you use HTTPS over the VPN?

You should use an internal DNS system like DNS Resolver on pfSense and configure your host overrides there. So you can provide the DNS to VPN clients, so that the clients resolve to the same internal IPs as when you access it from inside your network.

Is there really no way to port forward ports on the same subnet?

Not without masquerading.
When you forward traffic on the router to another device within the same subnet you get following issue:
routers IP: x.0.1
clients IP: x.0.6
server: x.0.10
client sends a request packet to the router (source: x.0.6, dest: x.0.1)
router forwards it to the server (source: x.0.6, dest: x.0.10)
server responds to the source IP (source: x.0.10, dest: x.0.6)
This packet arrives on the client, but he is awaiting the respond from the routers IP x.0.1, where he sent the request to, not x.0.10. Hence the client will not accept the response packet and the communication will fail.

I will create a subnet and move my code-server to it. It should take the gateway for communication with the LAN subnet and pfsense should be able to perform the port forwarding right?

Might be a solution. So each packet has to pass the router and no masquerading is needed.

Arrrrrhhhhhh....

Why didn't anyone tell me I could use both outbound NAT and port NAT using the same address?

All my problems are solved!

@viragomann
yes yes
my idea from the beginning was faulty

@xlameee said in NAT Reflection Pure NAT quick question:

Is this rule open port to outside that can be exploit ?

Hi,

Every port you open on the firewall compromises the security of your infrastructure...

yet often inevitable 😉

what I would advise you that, you are not the only one who knows the basic ports of known applications, the scanners know them well

whenever possible configure the application for a non-basic port, drop the port to 40-50K range

Forget http if possible and go to https - or use a proxy

@swordforthelord said in Cannot create outbound NAT rules in Hybrid Outbound NAT mode:

helpful error message,

You mean like this

likethis.jpg

If I try and create outbound hybrid nat with range like 3000-3100 I get that error..