@nogbadthebad said in how to allow access from wan subnet: Yup, he could add the static route on 192.168.1.17. Yeah if your going to have hosts on your transit you would need to do host routing.. Its a hack, not a true setup anyone should want. When its simple enough to set it up correctly. To be honest you would almost never actually want/need a downstream router, your going the wrong direction that way to be honest. Just replace your edge with pfsense, use your old wifi router as just an AP as the transition phase until you can get AP that allow vlan and switches that can as well if you want to setup a real network ;) Yes in a large enterprise network you would see routing done internally all the time vs just at the edge.. But in a small network or home or home with lab setup just doesn't really make sense other than a learning experience. And if your wanting to learn, then do it correctly with a transit network.. Sure if you want to play with why it doesn't work when you have hosts on a transit and the asymmetrical traffic flow that will result - sure have at it.. But I would set it up correctly, then break it with putting hosts on your transit and see why the asymmetrical flow is not good when you have stateful firewalls also in play..

Hi @cswroe, Yes I created the Site-to-Site IPSec with NAT'ing using this link. The tunnel is UP together with Phase 2. I can also see traffic from Site A to Site B. When it enters the Site B and I do a packet capture, I can see the the NAT IP addresses. Thanks & Regards, Sam

@viragomann thanks mate

@pixel24 said in Redirecting a subnet: For the installation, I would like to access the new virtual network from the LAN You have two different LANs. Guess you mean this one 192.168.24.0/24. Is there a way to set up a redirection on the 'old' pfSense so that all calls for 192.168.83.0/24 from the network 192.168.24.0/24 are routed to the WAN IP of the 'new' pfSense (192.168.24.20)? Really not clear, why you want to do that. But yes, that's doable with a simple port forwarding rule, presupposed the old pfSense is the default gateway in the LAN. However, since both source and redirect target are within the same subnet, you need to masquerade the source IP. For masquerading add a rule in Firewall > NAT > outbound. If the outbound NAT is in automatic mode, switch into hybrid mode and save this first. Then add a new rule: interface: LAN source: LAN net dest.: 192.168.24.20 translation: interface address (or LAN CARP VIP if any) Port forwarding: interface: LAN source: any dest: 192.168.83.0/2 redirect target: 192.168.24.20

@viragomann Thank you! This helped me

@vitozzo It's quite simple. Post you 1:1 rule please. For troubleshooting use Diagnostic > Packet Capture. Sniff the traffic on WAN. Check out the IPs of www.myip.com and enter them in the Host box (multiple separated by "|"). Start the capture and try to access www.myip.com from the internal device. You should see the packets going out with the source IP you stated at external in the 1:1 NAT rule.

@boeingpilot Also consider the option to set up a second OpenVPN connection. I'm thinking to run the server on the VPS, since it has a static IP. However, the rule setup I mentioned above has to be exactly the same. I was assuming, you need incoming connections only on the SMTP server. If you also need outbound using the VPS IP, you have to configure a CSO for the VPS client on the home pfSense, when using only one (multi purpose) server to let OpenVPN know the proper route. And you will have to policy route the servers outbound connections to the remote site. Additionally on the VPS you would need an outbound NAT rule for the SMTP server.

@narrington haproxy could do this for you.. here is a google result that looks to be current version of pfsense and use of haproxy as load balancer https://getlabsdone.com/how-to-configure-pfsense-load-balancer-using-haproxy/

@johnpoz yeah don’t worry I know they’re not the same but I’ve even tried to route through internally through PFSENSE by the host overrides and still nothing I am baffled

@stephenw10 Figured out the issue! NAT 1:1 is indeed correct but i forgot to put the firewall rules in need inbound from WAN!

Hi johnpos, I completed the NAT Reflection setup. It works as advertised both on Port Forward and 1:1 NATs Perfect result. Thanks

@steveits I'm looking at not trying to use WAN2 address. I'm wanting to use the VIP assigned under the primary WAN. As I understand it, the VIP won't actually be affected unless the interface itself goes down? As for the outbound, its a similar scenario, I'm wanting to use the same VIP regardless of the interface its sent out. End result being, regardless of which interface is primary for sending out traffic, I want it to always be seen from a specific VIP that is associated to the 10.0.0.x network.

@sdockter Setting a gateway in the WAN rule is really a bad idea. The gateway option in firewall rules is meant for policy routing of outbound connections and instructs pfSense to pass all matching traffic to this gateway. So this rule will pass no packets behind pfSense in your setup.

@noahbb89 said in Port Forwards Again: So the 525 to 3389 is a redirect. No that is not a redirect... You have the source port locked to being 525.. A redirect port would look like this, I direct 23040 externally to 32400 on the server internally. [image: 1642002394423-portredirect.jpg] Your buddy sure and the hell does not have the same setup - if he did his wouldn't work either.. Its that simple.. This is borked! [image: 1642002516900-wrong.jpg] Also you have a port forward on your WAN that says destination is the LAN address - how would that ever happen?? That forward says hey traffic coming into your Wan interface with a destination of whatever you LAN IP is - how would traffic hit your wan that has a destination of your LAN IP??? Lets say it some how magically did... Your then saying hey if the destination port is 3389 send it to 192.168.1.120 3389.. But ONLY if the source port of the traffic is 525.. How and the hell would any of that ever happen?? If you want to redirect traffic hitting 525 on your wan to 192.168.1.120 3389.. The port forward and firewall rules would look like this. [image: 1642003369949-correctredirect.jpg]