@johnpoz I recreated the Nat rule i was successful in getting this to work, currently monitoring the connection. Thanks for your effort, Thanks

Works by doing the NAT configuration on the IPsec Phase 2 and a static route to the remote subnet pointing to inside interface. NAT with IPsec Phase 2 Networks Routing and gateway considerations Thank you so much, @viragomann.

Despite extensive testing before release it's still possible to hit this in 2.5.1 CE but not as far as we know in 21.02.2 (Plus). Though it's unclear what the difference there is. https://redmine.pfsense.org/issues/11805 Steve

@gertjan Thank you so much for the support! My mistake was to put the start and end port different in this case, on other firewalls it works like this. Thanks again and have a nice day!

actually it was a pfsense update problem: https://redmine.pfsense.org/issues/11805 update to 2.6.0 and its fine now. hope they release a hotfix for stable version soon.

Have you tried to remove the GW's on the rules and let the FW handle them by itself?

@michael_kappler https://redmine.pfsense.org/issues/11436#note-56 FYI

I wouldn't because, in my view, that complicates things. You have two services that need http and https. You have to pic one for each port. In a virtual server setup you can serve http and https depending on the host name request. 1 server > 2 websites Unfortunately you have... 2 servers > 2 websites (your firewall http and your nextcloud http) This is why you need to (again, in my view): 1 - Go to: system > advanced > change your port to something else, like me. I serve it on port 10000 Note: You will want to first make a firewall rule to allow port 10000 on your WAN. Firewall > Rules > Floating allow any to 10000 TCP [image: 1618278960841-3df86e09-c752-41f5-bf25-5defabacc795-image.png] Here's the advanced web port change. [image: 1618278852186-ee4e99d8-2824-4902-bda3-ab02085fdfb9-image.png] Once you change your web port on your firewall from http port 80 /https port 443 > you've free'd those up to be used on something else. Now you're doing http/https on port 10000 :-) Now you can make a NAT rule: firewall > nat > that says, anything from your WAN on http port 80 and https port 443 > go to your private IP 192.168.1.whatever (or whatever private IP's you're using). Hope that helps. That's how we've done these things in the past. Not using standard ports on your firewall for web management helps cut down on the BS even though they'll find you eventually. 10000 is a common port used in web servers as is 8080, and many others. Alternatively, you could host your nextcloud on an alternative port too like 4434 or something and NAT 4434 > 443 on your private LAN side too. That would maintain the firewall defaults BUT we've found when publishing your owncloud URL that people will often hit the firewall interface not knowing they need to type in https://ip_address_here:4434 ...so it can get confusing. Always take a backup of your firewall before making and testing these changes :)

1:1 nat appears to be working to give my server one of those static addresses [image: 1618265241800-screen-shot-2021-04-12-at-3.04.46-pm.png] [image: 1618265248511-screen-shot-2021-04-12-at-3.05.43-pm.png]

@resortowner25 Check their documentation. https://docs.netgate.com/pfsense/en/latest/nat/port-forwards.html Netgate also made a more current video about this configuration. https://www.youtube.com/watch?v=iFAuK_m7JxE

@dardou Since both NAT rules handles different unique destination addresses they do not overlap. If another public IP (let's say 122.0.0.0.4) comes in to 200.0.0.1/9999 Both rules don't match to this. The first has a different destination IP and the second is restikt to a uniqe source IP which does not match to this. The filter rules come into play after NAT.

https://redmine.pfsense.org/issues/11436

I don't think it's going to work to have the same public IP subnet on both the router WAN and the DMZ. It won't know where to route. I think you'll need to use 1:1 NAT to forward the IPs to the DMZ servers. re: outbound NAT try Source: IPofServer1/32 Destination: any (the Internet) NAT Address: publicIPofServer1 Also remember to set up firewall rules on the DMZ network allowing access out. They only exist by default on LAN.

Perhaps using pfctl or something?? Need some help in this issue. Thanks.

@xeba idk, could be a combination of this https://redmine.pfsense.org/issues/11716 https://redmine.pfsense.org/issues/11568