@kbarrett said in Keeping Source IPs: Company unfortunately wont allow it Will not allow you to post up what? What your internal rfc1918 address are? WTF?? Someones tinfoil hat is so freaking tight its cutting off the blood flow.. Like giving away you live on main street. Without even knowing what country your in, let alone state, etc. Pretty worried about telling someone you live on the planet earth ;) There is zero issue with post up some arbitrary IP space, and interface be it wan or lan. Hide your rfc1918 space if you want. I just need to see if your using lan as an outbound nat.. Are you using public IP space internally? Not sure how you expect help - when you come back 23 days later and don't even post up an answer to the question. Yes, I am NATing the incoming traffic. If you are source natting external traffic to your webserver - than yeah it is always going to see the IP you natted it too.. Why would you be doing that? Other than circumvention of some firewall running on where your forwarding too.. If you want to see the actual public IP of a client out on the internet talking to something you port forward traffic too, then don't source nat.. Do you understand the difference between a port forward and what I am saying with a source nat? Do you have something in your outbound nat using the LAN interface? vs the WAN - if so that would be a source nat for traffic coming from the internet going to something on your Lan net.. Here - do you have something like this in your outbound nat rules? [image: 1631710185015-sourcenat.jpg] if I forwarded traffic to something on my 192.168.10/24 network - to that device on 192.168.10.X it would look like I am coming from the IP address of my Lan Address.. That is a source nat. edit: BTW to any would be hackers - please don't hack me now that I have given away that my internal networks use rfc1918.. Like every other internal network on the planet ;)

@salmanghiyas Split DNS is basically just overriding local DNS for a hostname. So the entire Internet resolves www.example.com to a public IP, and devices on the LAN are told www.example.com is a private IP via a host override.

@killmasta93 said in Access Website internally?: but wanted the Let encrypt on NGINX rather then on pfSense "Letsencrypt"is a concept, a brand, not code. It needs, on 'your' side, a program, most often scripts like Python, bash etc that runs on some system (OS). NGINX is a web server; that, on request from a web browser, gets files from its local storage and send it to the browser asking for it. It does not natively execute programs or scripts. Your NGINX runs on a device (host) : install certbot, acme.sh or whatever script you like, that interfaces with the Letenscrypt API servers. The traffic will just flow through pfSEnse, as any other traffic.

@kom said in incoming NAT issue: @salmanghiyas That should only be a problem if you're frequently adding new block rules. Usually, you configure the firewall and then mostly leave it alone. If your situation requires these changes then it's best to set a time to make your changes outside of business hours. Or, you can use the state table (Diagnostics - States) and filter for destinations you're trying to block and then only reset those states instead of all established states. Thank you !

Update: MicroSIP says "Wrong password". That's crazy because it's the same as in the hardware phone. I suspect that there is still a technical problem. 14:32:54.992 sip_resolve.c ...DNS resolver not available, target 'sip.amplusvoice.de:0' type=UDP will be resolved with getaddrinfo() I'll try it with my mobile.

@edbreay said in Port Forwarding not working on ESXi: I suppose.... it is not a Port Fowarding/Firewall Rule issue. correct statement - (but pls. see the last sentence) we could go deeper into the ESXi configuration, but this is the pfSense community and I'm not sure if they want to know about specific ESXi settings try again step by step and test from a host outside - +vswitch and with dual NAT there are exactly port forward problems on the WAN interface (RFC1918 on WAN) +++edit (I will help you with this): @edbreay "it is coming from my home office router" if you want to access the Linux machine from the outside (truly outside from internet), you need to forward a port to the pfSense WAN on this router as well

@viragomann I am stunned... THAT was an easy trick. Damn. Though much more complicated stuff involved... Thank you very much! Now I have to figure out why NAT-Pool with HASH is not working properly, the GUI does not accept the setting with a pool of four of the named adresses. Strange. Again, thank you! MP.

@andy22 said in NAT to Web Server running on WAN: Modem --> WAN Router --> PfSense -> LAN & IOT Routers Does each of these routers NAT? I have a web server running on one of the WAN IP address. Where is the WAN IP assigned to? To the WAN router, inside or outside?

@anthoinn Problem resolved just need to put correct subnets on server side

VPN is much better way to access your resources from remote for sure ;)

@danielffem It's not clear to me how all this is arranged. The Cisco ASA connects to your company network out your WAN. Your workstation connects to the Cisco via OpenVPN or some other protocol? "it doesn't work. I can't browse anything" is pretty vague. Can you resolve any hosts via nslookup? Can you ping out to 8.8.8.8, for example? Can you ping anything on the company network?

Well in passive the client makes connection to the server. So you would not need any rules on the interface server is on to allow the creation of the data port. As to faster speed be it active or passive.. That make no difference. Its just who opens the connection. Normally no firewall rules are needed on the client side for passive, since quite often the client side outbound rule is any, that is default of pfsense. If you are limiting the destination ports device can create outbound. Then yes you would need a rule on the clients interface to allow whatever ports your server is going to offer up for the passive data connection.

Below is my NAT rules and my WAN rules. [image: 1629338130070-capturfiles-202108230_210834.jpg] [image: 1629338129988-capturfiles-202108230_210853.jpg]

Never mind, I figured that one out too. That ISP router was routing all traffic destined for my IP block to the firewall despite no ARP response.

@crispycritter This kind of NAT must be done in the IPSec phase 2: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/phase-2-nat.html Also the routing is done in the phase 2. IPSec routes the whole upstream traffic to the remote site if your p 2 remote network is 0.0.0.0.