@gertjan Thank you very much. The Host Override done the job. I also find that I might have wrong DNS resolver settings: I choose both the "Network Interfaces" and "Outgoing Network Interfaces" to all.

However, I do not understand why I cannot use Scenario 3 to access the website. The "Host override" option in DNS resolver override the IP address of the public IP to the webserver local IP, making it to Scenario 2.

1:1 says any packets for public_IP get sent to a specific private_IP. So the 3CX server would have a private IP.

Also https://www.3cx.com/docs/pfsense-firewall/#h.gk510hqliu0g says 1:1 doesn't work for 3CX. :)

@natem said in WAN->Port forward->openVPN Client:

@viragomann

@viragomann so i was just about to reply as i was having trouble getting more that one connection at a time, but it looks like i got it. figure ill upload a screen shot for anyone else

9925b8dc-d601-4a8e-8ab1-ed252e09a9de-image.png

@johnpoz

Thanks a lot for the help, I've been able to understand my setup even more and completely fixed my issue.
Take care.

This resolved the issue but I don't know if this is a safe method. Can someone explain what risks or vulnerabilities I have opened by enabling this? I also have Pure NAT enabled.
d2fae86f-4fd3-4419-a810-7199a530493f-image.png

@dph
Ok, so inbound.

Well, a NAT rules on pfSense is a NAT rule as on every e*@!#& router on earth. pfSense doesn't change or add anything to that.
The good thing about pfSense that it has an good manual about natting. It won't learn you what NAT is, it tells you how to do it.

You need to know if your 'device' (tv decoder) needs to have port(s) to be opened. What's in the manual of that tv box ?? What does the ISP say ? Or the company from the box ?
Something very (highly !!) unusual these days : opening ports for a tv thing..
It's the box that gets the information from it's 'TV' servers, these servers are not pushing traffic to your box.

Basically, you have to open ports when you start to host something that needs to be accessible from the Internet, or parts from it.

On the other hand, I do have a TV box that actually only works with my 'ISP' router.
Becauset hat stupid thing uses a special VLAN configuration and g*d knows what other strange configurations. So, fine to me : behind my ISP router I have 2 devices : this TV box and pfSense.

This is what I mean : : https://forum.netgate.com/topic/150063/adsl-orange-pas-de-tv-%C3%A0-travers-pfsense - don't bother translating it : it's just a lot of pain ..... The issue was solved, of course.

Like https://wiki.virtit.fr/doku.php/kb:linux:pfsense:remplacer_sa_box_orange_par_un_pfsense

Take note : this is what I qualify as 'expert' usage.

I see that snmp traffic in your first sniff - coming from your 10.20.21 network to port 161, and see no answer. So the device is not answering.. Not an issue with pfsense.

Also see pings in that first sniff from your 10.20.21 network - and no answer. So again not a pfsense issue. Maybe the device firewall got turned back on..

Or maybe it lost its gateway..

edit: Ah or maybe its mask is wrong? Why are you see arp from it for 10.20.21.1?? It would only arp if it thought that IP was in its network.

See it also arping for IP on 10.10.. Does it thinks mask is /8?

@johnpoz Ah, I didn't mean to include the word 'Reflection' there - I was meaning the idea of keeping the traffic internal in that statement (which shows I needed to beef up my understanding a bit more!). After doing some more research, I tend to agree that reflection is perhaps not the best idea.
Something for me to think a bit more about. Thanks for the input as well @AndyRH - it has helped to direct my research 😊

@johnpoz exactly i can access my services either using their local lan ip or using ddns (nat reflection) when using nat+proxy but not when using pure nat. i have read that pure nat is better than nat+proxy and i would also need it once netgate fix this issue: (https://redmine.pfsense.org/issues/7727) and those are the two reason why i need and want to use pure nat.

That's a limitation in miniupnpd itself, as far as I'm aware they haven't added a way to disable that check. They added some related things to help pf use specific addresses to work around it, but it still won't let you use a private address directly on the WAN.

Need to raise the issue again with miniupnp and see if they will add a daemon or config file option to disable that check.

The issue was due to blocking private networks on the WAN interface.

I disabled the Block private network under Reserved networks and everything is working as expected now.

a65ef545-6a79-43ba-89c9-88644af1e737-image.png 

Hope this helps anyone else that experiences a similar problem.

To update this post:

I have upgraded Netgate SG-3100 to newly released v.21.02-p1 and also upgraded the unbound package to the unbound-1.13.1 with:

Unfortunately, all the NAT issue came back again. HAProxy does not respond to HTTPS port from outside the LAN network, and Xbox NAT status changed to closed again even though both using the same port forwarding settings that I had in the previous version 2.4.5p1.

I have reloaded v.2.4.5p1 again with the same port forwarding setting, and everything started working again. Xbox NAT status is Open, and HAProxy correctly working from WAN.