@gswhite Oh yeah, now I see what your issue is! I didn't realize, that the 'WAN address' alias can not be used in NAT 1:1. You will have to go with normal port forwarding. There you can select 'WAN address' from the destination droptown, which works with the dynamic IP. The outbound NAT is set anyway correctly to the single WAN address.

@j-sejo1 If I have to pay , I'm going Untangle all in. I got also the Sophos option but is not my favorite currently. But indeed I can't run service in a playground environment. Production or home stuff. I need less features but reliability from a firewall ,

@gertjan thanks for responding gertjan.. I do basic troubleshooting the problem is whenever I try to download a files its stop downloading every 1min. [image: 1619564258577-sample.png]

@johnpoz said in Port forwarding not working: Same thing happened when I got new car - radio channels not setup like I like them, my seat was in the perfect position before. Had to redo all that stuff - wtf! ;)

I've spent a couple of days figuring out a solution of my problem. I hope that this post will spare someone else many hours of frustration. ;) By changing the Tomcat (ver 9.0.31) server.xml settings so that the <Connector> used by my HTTPS-server uses... protocol="org.apache.coyote.http11.Http11Nio2Protocol" and not... protocol="org.apache.coyote.http11.Http11NioProtocol" ... the POST of files using HTTPS (I'm using "Let's Encrypt") works perfectly! (It seems to work with any NAT reflection combinations as well.)

@bingo600 said in DMZ - 1:1 NAT , and also "Hybrid": Aliases/VIP*s should not be in TFW IMHO. They aren't. Not Aliases. But VIPs are ON THIS firewall, so it fits the description and the docs to the letter. All IPs that are on interfaces on that firewall. So that matches. In fact an Alias belongs to TFW ... I had just hoped with an 1:1 Nat on it it would not ... It still does but if you have defined a BiNAT entry, then the IP gets rewritten FIRST and thus no longer matches "this firewall" as the packet now is destined for the internal IP and has to match it. But it's way too easy to make errors that way so just define the IP you want to match (either by WAN address or by selecting the VIP you want) and use that in NAT/Rules so you're safer that way :) Also move the WebUI port away from 443 and disable the auto redirect for it, that safes many headaches! We recommend using 4443 and explicitly blocking that on WAN-style interfaces can help avoid the "oopsie" of presenting your webUI to the world :) The rule is just a bonus though as you don't commonly have 4443/tcp allowed inbound anyways.

@fireodo thanks for the info.

Didnt upgrade yet since the initial feedback was very buggy...

@viragomann Understood, Thank you so much for the info.

@konikv You're probaly looking for that: NAT with IPsec Phase 2 Networks

@operator2024 Hi I have same situation, no matter what I do I can't get a second phase 2 to come up when it uses a subnet that doesn't directly exist on a local interface. could you please tell me what exactly you did so i can compare with my conf in my case i have Palo Alto --- IPsec ---- Pfsense --- IPsec --- AWS Pfsense --- IPsec ---- Pfsense --- IPsec --- AWS both don't work could you please help

@viragomann This was the solution. Thank you so much!

@slu Yes dude, tks

@saeed WELCOME Pfsense CE I use Pfsense since 2.2.X This type of failure in the essence of a firewall, did not occur. = (

@ralf-0 Firewall > NAT > Outbound > Disable Outbound NAT rule generation

SOLVED Thanks for your help, by reading and thinking you helped me find the solution. I found the fail! It was done by myself. I made a new NAT rule 3 weeks ago, in that rule i included port 8282 on block. I tuned the NAT rule, removed 8282 block, viola, all ports that I need to be open is now open: [image: 1618911090323-5da1e541-e972-48d2-98b4-b221fb776202-image.png]