In the time it took to fix this critical bug, I was able to: Set up and thoroughly test out OPNsense in a staging environment Find viable replacements for all the pfSense plugins and features I was using Weigh the pros and cons of switching to OPNsense Realize that open source pfSense has become a second class citizen Provision a new production firewall with OPNsense Manually copy the configuration from pfSense to the new OPNsense box Retire my pfSense box and switch permanently to OPNsense

@viragomann Thank you, I think you've pointed me in the right direction. The release of 2.5.2 could not have come at a better time! Well, last week before I upgraded to 2.5.1 would have been better, but I'll take today. https://redmine.pfsense.org/issues/11805

Yeah, the Destination of the automatically created rule is incorrect and should be 192.168.1.10, as you found out. Odd that it was created with the LAN address of the firewall as destination, unless your port forward rule was originally created that way and the firewall rule wasn't automatically updated when the NAT rule was.

@viragomann thanks again for the reply. Next Tuesday afternoon I'll be able to test it and see if that fixes it. Yes, I'll be removing it from vlan 7 and creating a VLAN just for the ASA.

@pomtom44 Yes, you can remove one of the double. Obviously there was something going wrong with automatic rule generation. The matching parameters of the rules are: Interface Address family protocol source address source port destination address destination port If all these values are equal, the rules match to the same traffic and hence only the first one is applied while the next are ignored.

@viragomann Thanks, this just might work, appreciate the input!! Sorry for not getting back sooner, been a busy weekend rebuilding a small datacenter lol.

@sisko212 Never done, but as far as I know, it should be possible. Change the branch for updates in System > Update accordingly.

@drew-kun said in Please help: VLAN and NAT port forward to Shadowsocks server behind pfsense (Netgate SG1100): You are amazing! And yet not even a thumbs up to say thanks..

NickMZ were you able to setup pfsense in IBM Cloud Classic Infra (Softlayer) using different DC?

@wifi-will Limiters don't care whether the addresses are private or public or if there is NAT.

@droidus said in NAT Issue?: @behemyth I am running different hardware than that device. It is called Protectli. bump *

@wifi-will said in /29 and /30 NAT Disable: LAN2 for public IP1, LAN3 for public IP2 etc... Sure you can put all your switch ports in your /29 network and then connect devices directly to the switch to be in the /29 network. Or you could use port 1 of the switch for some other network, and the other ports in the switch for your /29, etc. I personally like my interfaces discrete on my router, why I have a 4860 vs a model with a switch built in.. But some people like the switch in the router. But what you do with that switch is really no different than an external vlan capable switch. Be all the ports are in 1 vlan, or you break up the ports to be in other vlans.

@viragomann Ok i got it working. It took some cleaning up after previous attempts and I wouldn't make it work if it wasn't for you info. Thanks

@bambos said in NAT Port Forward on 80 redirects to 443 not working: 192.168.27.201:443 NOT Working 192.168.27.201:80 working, and i can see the browser redirecting to 443. 192.168.27.201 working, and i can see the browser redirecting to https://192.168.27.201 These are not URLs! If you omit the http(s) (the scheme) the browser will add any itself to call the site. Which one might depend on the browser and his records with the destination. https basically goes alway to port 443 and http to port 80. Your forwarding is presumbably done by the web server. So this is a bit off-topic here. But if you want to see, what your web server replies on port 80, go to Diagnostics > Command Prompt in pfSense GUI and type curl -s -i http://192.168.27.201 in the Execute Shell Command box. If it is redirected you should get code 301 or 302 and the new destination. If you get 200 there is no redirection.

@johnpoz changed default gateway to WAN2 and it works like a charm. When WAN2 is secondary gateway Outbound NAT is manual and packets are directed through the correct WAN2 interface after a port forward, but they are just not being NATed and egress using the private IP through the WAN2 interface. Reading the bug comments slowly, it has already been reported and people have it working with 2.5.2 RC Thank you!

@brians i don't know IPSec. most probably you can do something like this using openVPN. i suggest you start another threat in the correct forum section.

@viktor_g Thank you for letting me know. Regarding my "hack", today I noticed that the dyndns.update cron-job failed for IPv4 with my cloudflare "clients", the RFC 2136 "client" had no problem with IPv4. I then removed the virtual-IP, only had 6.6.6.6 in the UPnP & NAT-PMP Settings and dyndns.update is working again and UPnP is still working! So the only thing someone has to do is to put in some random public IP in Override WAN address in the UPnP & NAT-PMP Settings, to get it working behind a private IP?! Is it so easy? No need for a STUN Server and all this nonsense?? I really don't know, why (mini-)UPnP needs to know the public IP in the first place.

Yes, the Openvpn makes a routes at A for 192.168.110.0/24. But i think the problem is at B, because i cant see any trafik leave the OpenVPN interface connected to A, when i ping a host at 195.80.240.0/20

@freyja I said from the beginning that I wanted to replicate the configuration I had with my pix as the netgate act a replacement. That isn't an explanation for the reasoning behind the method. I understood you wanted to make it the same as what you had before. That's not hard to understand. The question was 'why do you want it that way?' What problem does this solve? That's all. All my configuration is based on that and despite the fact you disagree, I want to mask my internal network for things such honeypot for example. I don't necessarily disagree when I don't know all the details. That's why I was asking. You said earlier that you wanted to mask your network but I didn't understand the context nor did John. Usually a DMZ is completely isolated from LAN which is its entire point, and any required access is strictly controlled via rules. It's unusual to have a DMZ that needs to talk to LAN so much. It's not because you do not understand the usefulness of what I want it's illegal. I'll definitely admit that I don't see the usefulness of what you're doing. And such a supposition is quite surprising. I said what I wanted to do, you just don't listen. No, you said things like 'mask my network' and 'several reasons' but you never actually gave any specifics. Two of us were confused so you weren't as clear as you think. 1- reproduce what I had before just not to have to reconfigure everything 2- mask my internal network because I don't want people to be aware of it. Got it. I don't know how that would help you though. Yes, I understand that you are going to keep it this way and I have no problem with that. I'm just curious. How would people who interact with your DMZ be aware of what's on your LAN? Someone who cracks one of your DMZ servers will see what it's talking to and try to exploit that regardless of its DMZ vs LAN IP address. But still you're pushing over and over because it sounds overcomplicated for you but at the very end it's my problem if it's overcomplicated, right? It doesn't sound overcomplicated. It sounded like it didn't make any sense. I was asking for details because I thought I was missing something. I've never seen such aggressive people about simple tech questions, really I don't understand what you are trying to do there. Every single day here, new users decide to do something using an incorrect or sub-optimal method and then they ask specific questions in order to reach their bad end instead of asking for the best way to do something using pfSense. I thought that is what you were doing so I asked questions trying to determine what problem you needed to solve. I've started eluding your queries because I had answered them and didn't want to go in an argument fight and having to justify my setup. You make me feel I want to pack back my netgate and return it. This has nothing to do with Netgate. I've worked with Cisco, Nokia, McAfee, checkpoint firewall and never seen such agresisvity from a tech community. I'm starting feeling your are acting like that because you've seen I'm a girl and think I don't know what I'm doing. Don't make me think it's just a misogynistic behavior. How would I know you're a woman, and why would that matter?? My entire knowledge of you is from this one thread. That's said, I'm not doing anything illegal, i just wanted to reproduce my Pix configuration to simplify my life and don't have to reconfigure every service I'm using and that's all. Understood. Thank you for making it clearer for me. I think this has been one big misunderstanding and I will not trouble you again.