@xlameee said in NAT Reflection Pure NAT quick question: Is this rule open port to outside that can be exploit ? Hi, Every port you open on the firewall compromises the security of your infrastructure... yet often inevitable what I would advise you that, you are not the only one who knows the basic ports of known applications, the scanners know them well whenever possible configure the application for a non-basic port, drop the port to 40-50K range Forget http if possible and go to https - or use a proxy

@swordforthelord said in Cannot create outbound NAT rules in Hybrid Outbound NAT mode: helpful error message, You mean like this [image: 1637416461771-likethis.jpg] If I try and create outbound hybrid nat with range like 3000-3100 I get that error..

@steveits oh man you beat me to it - but I got in a picture ;) hehehe edit: Oh wait I beat you, heheheh

@johnpoz thank you, is clear. im expecting a 6 port device to arrive for this configuration. If i have any questions i will post again. Thank you.

@johnpoz Many thanks) Compared the settings of both Pfsense - NAT Reflection was disabled. I set the Nat + Proxy mode, everything worked. Thanks again!

@viragomann Thank you for your reply. The lan interface gateway is empty and the NAT is set in 'Manual Outbound NAT rule generation'. In any case I found the problem, there was a NAT rule configured to a network interface group with the LAN interface included. Avevo controllato many time NAT configuration! Thank you very much!

Okay, as it always is. As soon as I post a question I figure out the problem HAHA My problem was I didn't forward correctly from my "modem/router". In the UK we have modem/routers handed out by BT (as an example). Previously I setup a DMZ to solve this issue but I forgot to update the IP on that. Now I've updated it, everything is working as expected.

@bob-dig said in Port forwarding/NAT from VPN to local server: with them in the first place? Ahhh. OK. Thanks. Yes, some servers allow it. One of them happened to be one I used, but switched from, due to speed issues. These speed issues are everywhere though - so I may switch back to the Windows client and Wireguard. Pretty crap, but it's that slow (to PIA) I have just about written OpenVPN off.. OpenVPN (using PFSense) is about 1.5MB/s. Using PIA Client in Windows - Wireguard - is easily over 10MB/s. Thanks for your time and information guys. Appreciated!

@viragomann Yep, that’s definitely the difference. Upon switching, most of my network broke and it’s been challenging getting each piece back to function. However, it’s been an excellent learning experience. I think this issue may relate to a concession I made to fix a different problem. Thanks so much.

@viragomann Confirm. Green flag and it says port is open on public ip address. I'm going to check the device. It should be the oroblem Maybe it's not responding correctly.

@cibiri Hi! Can you post your config? I'm trying to translate with the newest pfsense but the interface changed and it's not really working When I configure my nat rule (10.0.64.0 first IP will translate to 192.168.0.0/18 (the overlap)) - my site 0 is 172.x and all my clients (15 of them) are 192.168.0.0/18 ) binat on openvpn inet from 192.168.0.0/18 to any -> 10.0.64.0/18 I;ve also configured OPT1 but nothing. But it's not working. Any other config somewhere I'm following this tutorial https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-nat-subnets-conflict.html

@volans But they become actual IP addresses on the firewall which is unnecessary for NAT purposes. Making individual "Other" /32 VIPs will add them to the menus too without doing that. That's probably a GUI defect. This was already found and fixed in 2.6.0 snapshots.

@jpgpi250 It's to be set in Firewall > NAT > Outbound. If your Outbound NAT is working in automatic mode switch to the hybrid mode first and save it. Then add a new rule like this: interface: this one which is facing to the monitoring / client protocol: TCP/UDP source: the clients subnet dest: the monitoring IP dest. port: 53 translation: interface address

@viragomann you're amazing. I guess somehow the WAN was configured without selecting the gateway. This solved the issue. At least hopefully the next person coming across missing NAT rules will find this post in their search results.