@kom
It's gone from clipboard and logs now. I removed it initially to not expose public ip.

The real question is what I did to make it work because I was using port 5761 until just recently reverted back to port 5760.

How would 10.41.1.1 ever see your public IP as source? Other than the IP to create the vpn tunnel. Traffic inside the tunnel would look likes its coming from whatever pfsense gets for its tunnel IP after creating the vpn.

For you to use your downstream network like that - would have to be setup. the network on the other side of the vpn would have to know to route traffic down the tunnel to get to your 10.36.45 network..

So your natting on pfsense to this 172.21.36.2 address now? If you don't you have the ubnt setup to route this traffic via your transit?

@gswhite
Oh yeah, now I see what your issue is! I didn't realize, that the 'WAN address' alias can not be used in NAT 1:1.

You will have to go with normal port forwarding. There you can select 'WAN address' from the destination droptown, which works with the dynamic IP.

The outbound NAT is set anyway correctly to the single WAN address.

@j-sejo1 If I have to pay , I'm going Untangle all in. I got also the Sophos option but is not my favorite currently.
But indeed I can't run service in a playground environment. Production or home stuff. I need less features but reliability from a firewall ,

@gertjan
thanks for responding gertjan..

I do basic troubleshooting the problem is whenever I try to download a files its stop downloading every 1min.

sample.PNG

@johnpoz said in Port forwarding not working:

Same thing happened when I got new car - radio channels not setup like I like them, my seat was in the perfect position before. Had to redo all that stuff - wtf! ;)

🤣

I've spent a couple of days figuring out a solution of my problem.
I hope that this post will spare someone else many hours of frustration. ;)

By changing the Tomcat (ver 9.0.31) server.xml settings so that the <Connector> used by my HTTPS-server uses...

protocol="org.apache.coyote.http11.Http11Nio2Protocol"

and not...

protocol="org.apache.coyote.http11.Http11NioProtocol"

... the POST of files using HTTPS (I'm using "Let's Encrypt") works perfectly!

(It seems to work with any NAT reflection combinations as well.)

@bingo600 said in DMZ - 1:1 NAT , and also "Hybrid":

Aliases/VIP*s should not be in TFW IMHO.

They aren't. Not Aliases. But VIPs are ON THIS firewall, so it fits the description and the docs to the letter. All IPs that are on interfaces on that firewall. So that matches.

In fact an Alias belongs to TFW ... I had just hoped with an 1:1 Nat on it it would not ...

It still does but if you have defined a BiNAT entry, then the IP gets rewritten FIRST and thus no longer matches "this firewall" as the packet now is destined for the internal IP and has to match it. But it's way too easy to make errors that way so just define the IP you want to match (either by WAN address or by selecting the VIP you want) and use that in NAT/Rules so you're safer that way :)

Also move the WebUI port away from 443 and disable the auto redirect for it, that safes many headaches! We recommend using 4443 and explicitly blocking that on WAN-style interfaces can help avoid the "oopsie" of presenting your webUI to the world :) The rule is just a bonus though as you don't commonly have 4443/tcp allowed inbound anyways.

@fireodo thanks for the info.

Didnt upgrade yet since the initial feedback was very buggy...

@viragomann Understood, Thank you so much for the info.

@konikv
You're probaly looking for that: NAT with IPsec Phase 2 Networks

@operator2024 Hi
I have same situation, no matter what I do I can't get a second phase 2 to come up when it uses a subnet that doesn't directly exist on a local interface.
could you please tell me what exactly you did so i can compare with my conf

in my case i have
Palo Alto --- IPsec ---- Pfsense --- IPsec --- AWS

Pfsense --- IPsec ---- Pfsense --- IPsec --- AWS

both don't work
could you please help

@viragomann This was the solution. Thank you so much!

@slu Yes dude, tks

@saeed WELCOME Pfsense CE

I use Pfsense since 2.2.X

This type of failure in the essence of a firewall, did not occur. = (