@lesserbloops no problem, glad you got it sorted. It for sure is not a "optimal" sort of setup.. While I am not sure on whatever constraints your having to work with.. And sometimes you just need to get something to work, be it not how it should properly be done ;) If you have the ability I would look to not having to jump through such a hoop.. Is there anyway for example to connect pfsense to your current routers that are being used as gateways for these 2 networks via transit networks so that pfsense could be used for the firewall router joining these 2 networks together. That way users in network A could just rdp directly to the IP of network B, all you would have to do is allow the traffic you want and in what direction in pfsense. Optimally you wouldn't need the 3rd router at all, and just connect your 2 different routers via a transit so you could correctly route between your 2 network.. In a truly optimal setup those 2 routers would already be pfsense ;) I find that pictures are sometimes worth 10k words, and sometimes descriptions no matter how elegantly worded can be misinterpreted sometimes due to different use of terms or misunderstanding of how a term is being used.. The term gateway comes up a lot around here for example.. Users try and use that to describe the IP they set on pfsense interface ;) that is not a gateway, that is the interface IP.. Stating you set a gateway means to me you did that you put in a gateway address ;) Also users tend to say they did X when they really did (X+y^2) * Z + Q, etc heheheh.. So a "picture" makes sure everyone is on the same page ;) Which for example is why I drew up a quick layout of how I was understanding what you were up against, so was sure we were understanding each other.

Maybe it can be useful to prevent configuration issues, clearing cache automatically after some functions made or every REBOOT. I worked on this issue to find almost 1 month. Thank you.

@gatenet well if you lan 1 devices that need to talk to lan 2 devices that point to 192.168.16.1 as their default gateway. Just source nat your traffic from lan 1 so it looks like it comes from pfsense lan 2 IP via outbound nat on the lan 2 interface.

There may be a bug there but running without a default gateway is a bad idea and isn't doing what you think it's doing. Setting a gateway in rules only affects traffic for hosts on the local networks matching those rules, not the firewall itself. And doing that in outbound floating rules doesn't actually help move traffic out different interfaces in most cases. The firewall itself always needs to have a default gateway. If it doesn't, services on the firewall can't properly get out to check for updates, install packages, DNS may fail, VPNs can't establish, etc. Some of that can be worked around with static routes for specific remote hosts but still, it's not ideal. The "none" setting for default gateway is primarily intended for situations where the default is managed by BGP or OSPF, NOT for policy routing. tl;dr; There may be a quirk there but you're running an unsupported configuration so not something that would be a priority to investigate.

@mcury Disabling the second rule gives me this message upon testing multiplayer connect: "It's all good There are no problems with your connection for multiplayer. If you're still having trouble, try testing your NAT type again. " NAT detection returns Open still. Thanks!

@johnpoz said in Incoming NAT to another router on same LAN: But do you know what all public IPs will be that you forward to .100? Unlikely I would assume. Ah, I had thought you meant our own public facing IPs. I can deal with this limitation whilst migrating though. Thanks again for the assistance.

@pisistrato said in Port Forward/Rules to access web apps: I guess I needed to reboot first No you would not need to reboot.

@viragomann Pure NAT helped with the NAT problems we were having and I had to hit our RD Gateway server from the other networks was to hit the RD Gateway by its private IP. I had to then replicate the same firewall rules we had going from WAN to Network A Network B is allowed to hit 192.168.5.28 on Network A on 443, udp 3391 and 3389 Network C is allowed to hit 192.168.5.28 on Network A on 443, udp 3391 and 3389 Thanks

@viragomann There is not issue when you check from canyouseeme.org when you do the test from any connection, you will that the port is open, except you will won't be able to reach from Kacific internet when you try to connect to my commfort server from commfort client with kacific. [image: 1639095091886-kacific-resized.png]

@brk Ah - you could also just set a hybrid entry for the networks you don't want to nat.

@bgachenot said in LAN > Split DNS > WAN issue: A drawback of doing this would be that, when connected to my network with VPN, I couldn't access the gitlab UI anymore (because HSTS enabled) Not clear, why HSTS is an issue. Don't you use HTTPS over the VPN? You should use an internal DNS system like DNS Resolver on pfSense and configure your host overrides there. So you can provide the DNS to VPN clients, so that the clients resolve to the same internal IPs as when you access it from inside your network. Is there really no way to port forward ports on the same subnet? Not without masquerading. When you forward traffic on the router to another device within the same subnet you get following issue: routers IP: x.0.1 clients IP: x.0.6 server: x.0.10 client sends a request packet to the router (source: x.0.6, dest: x.0.1) router forwards it to the server (source: x.0.6, dest: x.0.10) server responds to the source IP (source: x.0.10, dest: x.0.6) This packet arrives on the client, but he is awaiting the respond from the routers IP x.0.1, where he sent the request to, not x.0.10. Hence the client will not accept the response packet and the communication will fail. I will create a subnet and move my code-server to it. It should take the gateway for communication with the LAN subnet and pfsense should be able to perform the port forwarding right? Might be a solution. So each packet has to pass the router and no masquerading is needed.

Arrrrrhhhhhh.... Why didn't anyone tell me I could use both outbound NAT and port NAT using the same address? All my problems are solved!

@viragomann yes yes my idea from the beginning was faulty