Like I said if the health check that its doing doesn't work for whatever reason - it thinks the backend is down, then yeah you get a 503.. I never went into looking any deeper to why say the http check doesn't work for ombi service for example.. Because I only have 1 server, there is little need to actually know if its up or not for loadsharing, etc.

Hello. I think the OP asked for specifically an "allow list" at firewall level additionnaly to the win SFTP server whitelist. Then it means to me he want to know how best to make an alias in pfSense with multiple IP that are already whitelisted SFTP side. @Smoothrunnings If you want/can do it manually, you set up an alias with CIDR adresses as you want (either /32, or whateever mask you need, sometimes a whole subnet is preferable, sometimes not depending on your case). Or if you want to automate it, you can use URL aliases (URL link to an automated generated text file with all IP/CIDR in it, generated by SFP server or something and made accessible trough a internal/minimal web server for exemple) You can check here the full doc as they are more possibilities : https://docs.netgate.com/pfsense/en/latest/firewall/aliases.html And when your Aliases are ready, you just need to specify them in "Source address" for your port forward rules to the SFTP server.

@gertjan Thank you very much. The Host Override done the job. I also find that I might have wrong DNS resolver settings: I choose both the "Network Interfaces" and "Outgoing Network Interfaces" to all. However, I do not understand why I cannot use Scenario 3 to access the website. The "Host override" option in DNS resolver override the IP address of the public IP to the webserver local IP, making it to Scenario 2.

1:1 says any packets for public_IP get sent to a specific private_IP. So the 3CX server would have a private IP. Also https://www.3cx.com/docs/pfsense-firewall/#h.gk510hqliu0g says 1:1 doesn't work for 3CX. :)

@natem said in WAN->Port forward->openVPN Client: @viragomann @viragomann so i was just about to reply as i was having trouble getting more that one connection at a time, but it looks like i got it. figure ill upload a screen shot for anyone else [image: 1615761248802-9925b8dc-d601-4a8e-8ab1-ed252e09a9de-image.png]

@johnpoz Thanks a lot for the help, I've been able to understand my setup even more and completely fixed my issue. Take care.

This resolved the issue but I don't know if this is a safe method. Can someone explain what risks or vulnerabilities I have opened by enabling this? I also have Pure NAT enabled. [image: 1615338690909-d2fae86f-4fd3-4419-a810-7199a530493f-image.png]

@dph Ok, so inbound. Well, a NAT rules on pfSense is a NAT rule as on every e*@!#& router on earth. pfSense doesn't change or add anything to that. The good thing about pfSense that it has an good manual about natting. It won't learn you what NAT is, it tells you how to do it. You need to know if your 'device' (tv decoder) needs to have port(s) to be opened. What's in the manual of that tv box ?? What does the ISP say ? Or the company from the box ? Something very (highly !!) unusual these days : opening ports for a tv thing.. It's the box that gets the information from it's 'TV' servers, these servers are not pushing traffic to your box. Basically, you have to open ports when you start to host something that needs to be accessible from the Internet, or parts from it. On the other hand, I do have a TV box that actually only works with my 'ISP' router. Becauset hat stupid thing uses a special VLAN configuration and g*d knows what other strange configurations. So, fine to me : behind my ISP router I have 2 devices : this TV box and pfSense. This is what I mean : : https://forum.netgate.com/topic/150063/adsl-orange-pas-de-tv-%C3%A0-travers-pfsense - don't bother translating it : it's just a lot of pain ..... The issue was solved, of course. Like https://wiki.virtit.fr/doku.php/kb:linux:pfsense:remplacer_sa_box_orange_par_un_pfsense Take note : this is what I qualify as 'expert' usage.

I see that snmp traffic in your first sniff - coming from your 10.20.21 network to port 161, and see no answer. So the device is not answering.. Not an issue with pfsense. Also see pings in that first sniff from your 10.20.21 network - and no answer. So again not a pfsense issue. Maybe the device firewall got turned back on.. Or maybe it lost its gateway.. edit: Ah or maybe its mask is wrong? Why are you see arp from it for 10.20.21.1?? It would only arp if it thought that IP was in its network. See it also arping for IP on 10.10.. Does it thinks mask is /8?

@johnpoz Ah, I didn't mean to include the word 'Reflection' there - I was meaning the idea of keeping the traffic internal in that statement (which shows I needed to beef up my understanding a bit more!). After doing some more research, I tend to agree that reflection is perhaps not the best idea. Something for me to think a bit more about. Thanks for the input as well @AndyRH - it has helped to direct my research