Update:

MicroSIP says "Wrong password". That's crazy because it's the same as in the hardware phone.

I suspect that there is still a technical problem.

14:32:54.992 sip_resolve.c ...DNS resolver not available, target 'sip.amplusvoice.de:0' type=UDP will be resolved with getaddrinfo()

I'll try it with my mobile.

@edbreay said in Port Forwarding not working on ESXi:

I suppose.... it is not a Port Fowarding/Firewall Rule issue.

correct statement 😉 - (but pls. see the last sentence)

we could go deeper into the ESXi configuration, but this is the pfSense community and I'm not sure if they want to know about specific ESXi settings

try again step by step and test from a host outside - +vswitch

and with dual NAT there are exactly port forward problems on the WAN interface (RFC1918 on WAN)

+++edit (I will help you with this):
@edbreay "it is coming from my home office router"

if you want to access the Linux machine from the outside (truly outside from internet), you need to forward a port to the pfSense WAN on this router as well

@viragomann
I am stunned... THAT was an easy trick. Damn. Though much more complicated stuff involved...
Thank you very much!
Now I have to figure out why NAT-Pool with HASH is not working properly, the GUI does not accept the setting with a pool of four of the named adresses. Strange.
Again, thank you!
MP.

@andy22 said in NAT to Web Server running on WAN:

Modem --> WAN Router --> PfSense -> LAN & IOT Routers

Does each of these routers NAT?

I have a web server running on one of the WAN IP address.

Where is the WAN IP assigned to? To the WAN router, inside or outside?

@anthoinn Problem resolved just need to put correct subnets on server side

VPN is much better way to access your resources from remote for sure ;)

@danielffem It's not clear to me how all this is arranged. The Cisco ASA connects to your company network out your WAN. Your workstation connects to the Cisco via OpenVPN or some other protocol? "it doesn't work. I can't browse anything" is pretty vague. Can you resolve any hosts via nslookup? Can you ping out to 8.8.8.8, for example? Can you ping anything on the company network?

Well in passive the client makes connection to the server. So you would not need any rules on the interface server is on to allow the creation of the data port.

As to faster speed be it active or passive.. That make no difference. Its just who opens the connection.

Normally no firewall rules are needed on the client side for passive, since quite often the client side outbound rule is any, that is default of pfsense. If you are limiting the destination ports device can create outbound. Then yes you would need a rule on the clients interface to allow whatever ports your server is going to offer up for the passive data connection.

Below is my NAT rules and my WAN rules.

CapturFiles-202108230_210834.jpg CapturFiles-202108230_210853.jpg

Never mind, I figured that one out too. That ISP router was routing all traffic destined for my IP block to the firewall despite no ARP response.

@crispycritter
This kind of NAT must be done in the IPSec phase 2: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/phase-2-nat.html

Also the routing is done in the phase 2. IPSec routes the whole upstream traffic to the remote site if your p 2 remote network is 0.0.0.0.

@viragomann

Thanks for your help.

Everything works like a charm now.

@planetinse

The problem is now I can only rely on one of the WAN's (the default in Routing/Gateways) for outgoing traffic with Outbound NAT rules.

I will have to revert back to 2.5.0 again.

I think the root cause is that the Gateway setting in advanced options for the FW Rules on LAN side is simply not used, it always using the default gateway regardless of what is selected in the rule.

4afaf369-0836-4869-8489-a186b256120a-bild.png

@zoltan Create an IP Alias VIP (Firewall - Aliases) on LAN with a local IP address, then create a NAT port forward (Firewall - NAT) to forward that VIP to the public IP address. You can restrict it to just the ports that the monitoring system requires.

@viragomann Thanks a lot, Pure did not worked, but straight forward with proxy.
Thanks again !!!

@viragomann said in [NAT Outbound WAN IP X to WAN IP Y not working]

If pfSense would do this, the DNS client would ignore and drop the response packet. If he is requesting X, hence he is awaiting a response from X and will ignore any other source IP.

I know in that simple case it wouldn't work, but that's what needs to be done in my setup. It's an ugly workaround for a problem we currently have.

I think I've found my mistake. In my case, random Z is asking pfsense box Y a request, that request is DNAT'd and forwarded to the pfSense box X. Both X and Y share the same firewall states via pfSync. So I thought, as X is aware in its states of the box Y's DNAT, it would simply follow it back with the auto-SNAT; just as any other normal NAT rule.

But X doesn't take Y's DNAT into account, and instead replies directly to Z, bypassing Y, so it cannot be auto-SNAT'd back to source Y. So that's why I wanted to force the rewriting of X to Y using my own DNAT rule. It'd be nice if we could do that too.

What I need to do on box Y is to add a VIP of W, and SNAT Z to W along DNAT Y to X. Then X would reply to W which would be SNAT'd back to source Y and DNAT'd back to destination Z.

Thanks for the support @viragomann. Have a nice day!

@pmai72 said in Mail Server Not Working:

Is it still something missing?

Probably. Can't tell right now.
You have world's most famous log file at your disposal. It's the file nearly every post (=mail) master looks at 24/24H, as it is very important.

/var/log/mail.log

It has all the details.

edit : /var/log/mail.log is the file and location for most mail servers.