@mcury Disabling the second rule gives me this message upon testing multiplayer connect: "It's all good There are no problems with your connection for multiplayer. If you're still having trouble, try testing your NAT type again. " NAT detection returns Open still. Thanks!

@johnpoz said in Incoming NAT to another router on same LAN: But do you know what all public IPs will be that you forward to .100? Unlikely I would assume. Ah, I had thought you meant our own public facing IPs. I can deal with this limitation whilst migrating though. Thanks again for the assistance.

@pisistrato said in Port Forward/Rules to access web apps: I guess I needed to reboot first No you would not need to reboot.

@viragomann Pure NAT helped with the NAT problems we were having and I had to hit our RD Gateway server from the other networks was to hit the RD Gateway by its private IP. I had to then replicate the same firewall rules we had going from WAN to Network A Network B is allowed to hit 192.168.5.28 on Network A on 443, udp 3391 and 3389 Network C is allowed to hit 192.168.5.28 on Network A on 443, udp 3391 and 3389 Thanks

@viragomann There is not issue when you check from canyouseeme.org when you do the test from any connection, you will that the port is open, except you will won't be able to reach from Kacific internet when you try to connect to my commfort server from commfort client with kacific. [image: 1639095091886-kacific-resized.png]

@brk Ah - you could also just set a hybrid entry for the networks you don't want to nat.

@bgachenot said in LAN > Split DNS > WAN issue: A drawback of doing this would be that, when connected to my network with VPN, I couldn't access the gitlab UI anymore (because HSTS enabled) Not clear, why HSTS is an issue. Don't you use HTTPS over the VPN? You should use an internal DNS system like DNS Resolver on pfSense and configure your host overrides there. So you can provide the DNS to VPN clients, so that the clients resolve to the same internal IPs as when you access it from inside your network. Is there really no way to port forward ports on the same subnet? Not without masquerading. When you forward traffic on the router to another device within the same subnet you get following issue: routers IP: x.0.1 clients IP: x.0.6 server: x.0.10 client sends a request packet to the router (source: x.0.6, dest: x.0.1) router forwards it to the server (source: x.0.6, dest: x.0.10) server responds to the source IP (source: x.0.10, dest: x.0.6) This packet arrives on the client, but he is awaiting the respond from the routers IP x.0.1, where he sent the request to, not x.0.10. Hence the client will not accept the response packet and the communication will fail. I will create a subnet and move my code-server to it. It should take the gateway for communication with the LAN subnet and pfsense should be able to perform the port forwarding right? Might be a solution. So each packet has to pass the router and no masquerading is needed.

Arrrrrhhhhhh.... Why didn't anyone tell me I could use both outbound NAT and port NAT using the same address? All my problems are solved!

@viragomann yes yes my idea from the beginning was faulty

@xlameee said in NAT Reflection Pure NAT quick question: Is this rule open port to outside that can be exploit ? Hi, Every port you open on the firewall compromises the security of your infrastructure... yet often inevitable what I would advise you that, you are not the only one who knows the basic ports of known applications, the scanners know them well whenever possible configure the application for a non-basic port, drop the port to 40-50K range Forget http if possible and go to https - or use a proxy

@swordforthelord said in Cannot create outbound NAT rules in Hybrid Outbound NAT mode: helpful error message, You mean like this [image: 1637416461771-likethis.jpg] If I try and create outbound hybrid nat with range like 3000-3100 I get that error..

@steveits oh man you beat me to it - but I got in a picture ;) hehehe edit: Oh wait I beat you, heheheh

@johnpoz thank you, is clear. im expecting a 6 port device to arrive for this configuration. If i have any questions i will post again. Thank you.

@johnpoz Many thanks) Compared the settings of both Pfsense - NAT Reflection was disabled. I set the Nat + Proxy mode, everything worked. Thanks again!