I wouldn't because, in my view, that complicates things. You have two services that need http and https. You have to pic one for each port. In a virtual server setup you can serve http and https depending on the host name request. 1 server > 2 websites Unfortunately you have... 2 servers > 2 websites (your firewall http and your nextcloud http) This is why you need to (again, in my view): 1 - Go to: system > advanced > change your port to something else, like me. I serve it on port 10000 Note: You will want to first make a firewall rule to allow port 10000 on your WAN. Firewall > Rules > Floating allow any to 10000 TCP [image: 1618278960841-3df86e09-c752-41f5-bf25-5defabacc795-image.png] Here's the advanced web port change. [image: 1618278852186-ee4e99d8-2824-4902-bda3-ab02085fdfb9-image.png] Once you change your web port on your firewall from http port 80 /https port 443 > you've free'd those up to be used on something else. Now you're doing http/https on port 10000 :-) Now you can make a NAT rule: firewall > nat > that says, anything from your WAN on http port 80 and https port 443 > go to your private IP 192.168.1.whatever (or whatever private IP's you're using). Hope that helps. That's how we've done these things in the past. Not using standard ports on your firewall for web management helps cut down on the BS even though they'll find you eventually. 10000 is a common port used in web servers as is 8080, and many others. Alternatively, you could host your nextcloud on an alternative port too like 4434 or something and NAT 4434 > 443 on your private LAN side too. That would maintain the firewall defaults BUT we've found when publishing your owncloud URL that people will often hit the firewall interface not knowing they need to type in https://ip_address_here:4434 ...so it can get confusing. Always take a backup of your firewall before making and testing these changes :)

1:1 nat appears to be working to give my server one of those static addresses [image: 1618265241800-screen-shot-2021-04-12-at-3.04.46-pm.png] [image: 1618265248511-screen-shot-2021-04-12-at-3.05.43-pm.png]

@resortowner25 Check their documentation. https://docs.netgate.com/pfsense/en/latest/nat/port-forwards.html Netgate also made a more current video about this configuration. https://www.youtube.com/watch?v=iFAuK_m7JxE

@dardou Since both NAT rules handles different unique destination addresses they do not overlap. If another public IP (let's say 122.0.0.0.4) comes in to 200.0.0.1/9999 Both rules don't match to this. The first has a different destination IP and the second is restikt to a uniqe source IP which does not match to this. The filter rules come into play after NAT.

https://redmine.pfsense.org/issues/11436

I don't think it's going to work to have the same public IP subnet on both the router WAN and the DMZ. It won't know where to route. I think you'll need to use 1:1 NAT to forward the IPs to the DMZ servers. re: outbound NAT try Source: IPofServer1/32 Destination: any (the Internet) NAT Address: publicIPofServer1 Also remember to set up firewall rules on the DMZ network allowing access out. They only exist by default on LAN.

Perhaps using pfctl or something?? Need some help in this issue. Thanks.

@xeba idk, could be a combination of this https://redmine.pfsense.org/issues/11716 https://redmine.pfsense.org/issues/11568

@viragomann Thanks for the explanation. appreciated.

@derelict thanks a lot

@summer Best way to do is to add the VLAN to the remote OpenVPN settings to add the route, but if I understand you correctly, that's not an option for you. So yes, you can go with masquerading. Rules can be added on the outbound NAT tab. If the outbound NAT is still working in automatic mode switch to hybrid first and press save. Then add a new rule with settings like these: interface: <the VPN interface> source: select 'network' and enter the alias you've set for the permitted clients destination: <the remote LAN> translation: interface address This presumes that the tunnel subnet is routed to the VPN endpoint on the remote site (that it's the default gateway). Otherwise you may use any unused IP out of the LAN subnet. Also ensure that there is a firewall rule in place on the VLAN which allows the traffic to the remote LAN.

@pkx232c I think that pfSense do no spoof the RTCP traffic and do not define a NAT nor a port forwarding. What needed is a spoofing the RTCP traffic and setup and NAT or forwarding for the "client_port" in the RTCP-SETUP message. As i have seen, other firewall do this. I have found the same tool (designed for OPNSense) and i hope for a solution on pfSense!

@viragomann thanks a lot for helping out

@serbus Just saw the latest video from Tom Lawrence and it seems to be a bug in the software we are using. So the solution will be to roll back.

I remember doing the upgrade 15.03.2021 from 2.4.5-RELEASE-p1 (amd64) built on Tue Jun 02 17:51:17 EDT 2020 FreeBSD 11.3-STABLE to 2.5.0-RELEASE (amd64) built on Tue Feb 16 08:56:29 EST 2021 FreeBSD 12.2-STABLE Before that, however, I made a backup of the whole image. Now I have restored pfsense from backup and everything works. Now I'm afraid to upgrade because it will go wrong again. There will probably be a bug in version 2.5.0