@kiokoman Awesome. That's what worked and needed. Grateful for that. Happy new year :)

Since your accessing via IP, dns had nothing to do with it.

But a wrong setting for your lan network in openvpn settings yeah that would do it. 10.0.0.1/24 is a host address not a network. So yeah that wouldn't of worked.

@mrpatrick

If the outer firewall connects to the internet it would need to NAT local addresses.

Thank you both. I knew I had missed something, Cheers.

To anyone else reading this.
on an ubuntu server hosting a service such as plex or emby the UFW entry I made was as follows:

sudo ufw allow in on <your interface used> to any port 32400 proto <what the service protocol required> comment '< in this case its for plex, "plex Externa connection">'

Thank you very much again, please mark this as closed.

@cke

Except for the first, all your NAT rules not needed / related to the access of a.site.net. You can remove them.

Again : right after, when you installed pfSense, before you started to change / add things, the access to a.site.net was working fine.

Side thought : really ? a http (non SSL) site ? Do they still exist ?

@johnpoz
I was reading this old thread and was amazed that the reverse proxy wasn't mentioned earlier. Altough i have some issue related to this post as well.

Let me explain my situation:
I am 1 step further i set up a reverse proxy that does a lot all on port 443.
It hase several web services on seperate servers behind it also SSH some protected with a client cert, and i got even RDP working in sort of a poor man's RDP gateway so yes i can RDP to multiple machines by connecting to the same address. Some fictive examples:

abc.example.com:443 -->webserver 1
xyz.example.com:443 -->webserver 2
def.vpn.example.com:443 --> webserver 3 also you need a client cert to connect.
aaa.ssh.example.com:443 --> ssh to a server
rdp.example.com:443 --> rdp to several servers, when you connect your user name should be formatted: servername\username

Now all works as designed, but when i am on my lan i want to connect to to the same addresses from intern as i do from outside. For some reason nat reflection broke after some update of pfSense and never got it working again. When i connect from inside it is reflected to the right server but it serves the certificate of my isp's modem?? Which is strange because that cert is only in the modem not in the pfSense box.
I enabled HTST in all connections in the reverse proxy so because of the cert issue i cannot connect from inside (if i turn that of it works with the wrong cert so you get nasty messages). Also using the internal DNS trick to skip the NAT reflection hack all together will not work because i am used to use all services on port 443. However all servers have their services configured on all kind of ports so i have to start remembering what to connect on which port when using the DNS solution.

Any idea how comes my modem cert is showing when using NAT refelection? O yeah one last important thing the modem is not in bridge it is just routing as well and i have put my pfsense box in DMZ of the modem to forward everything to the pf Sense box and let that do it's thing.

Like i said it worked for years and broke with pfSense version 2.4.5.

@johnpoz then please check this topic https://forum.netgate.com/topic/159354/pfsense-2-5-0-a-20201127-0650-nat-issues/1 and you will get fresh new expirience 😊

@jmaurin said in Port forwarding nto working in LAN source:

But I may know why. I'm using 2 NAT's (unfortunatelly).

I can not think of anything, what your former OpenWRT could have done here to make it work without knowing your real public IP.
If abc.domain.com resolves to the ISP routers external IP, NAT reflection must be done at the external router.

If that is not possible and you cannot use split DNS your only option will be to clone your NAT rules to your internal interface(s).
To make it work if both, server and client, are connected to the same interface of pfSense you will additionally need an outbound NAT rule for this server.

Mmm, that is odd I would not expect you to be able to do that.

It would be much better to run a separate link to the ISP from the Fritz box.

Otherwise you might be able to bridge the WAN interface to the link to the Fritzbox. That's probably not going to work if it's WAN and LAN.

Steve

@davidfungf
Basically the first match wins.

So if you put your second rule to the top of the rule set it will match for the specified IP and the other one for all others.

@gertjan
Thanks again for taking the time to communicate your thoughts.

I have no aversion whatsoever about the placement of a mailserver in full view of the Internet. The choice to place it behind a router is purely the desire to have a device that can turn a single public IP address into a multi-destination relay of traffic. Different protocols making use of that public IP address are better served by specific equipment/software on the inside. As you point out, all inbound TCP/SMTP 25 traffic has no requirement or logical reason to have the packet headers rewritten (disguised), ie inbound NAT is not even the key factor here. Maybe an elaboration would help you to understand what my mind is processing.

First location - one public IP address.
The boundary router is a AR129 Huawei product supplied by the ISP.
There are several internal machines using the connection to the internet.
There is a mailwash server using the WAN IP as a MX address in DNS.
The direction of TCP/SMTP 25 packets is done by settings within that router.
Those settings are; NAT > Port Forwarding > TCP/SMTP 25 > Mailserver 25.
Those packets are delivered to the mailserver without rewriting the packet header.
That behaviour is not an optional setting.
That port forwarding is not possible by any other means in that router.
It might be reasonable to assume that TCP/SMTP 25 inbound packets are not
having the headers rewritten by design, ie, it cannot be deemed necessary.

Second location - 1 primary public IP address + subnet/29 (8) mapped IP addresses.
The boundary router is a AR129 Huawei product (and the primary WAN IP address)
There is another boundary router being the pfSense virtual device;
It has 6 nics,
4 x WAN that service 4 of the 5 available IP addresses in the subnet/29 block,
1 x LAN address that is on the 192.168/24 subnet,
1 x DMZ address that is on the 10.179/24 subnet.
If I use the AR129 Huawei (NAT > Port Forwarding) = NO SMTP rewritten headers.
BUT that is just one public address, without rewritten inbound headers.
If I use the pfSense router (NAT > Port Forward) = all SMTP headers are rewitten.
BUT that handles 4 public IP addresses, therein is the trade-off.

I did think I was pretty smart to get a configuration that could pass 4 public IPs through to a dynamic multi-dimensional facility. The capability of the pfSense router was not rated so much for protection from the internet, as it was for the pure compactness and configurability of the routing. I had variously dabbled with a Linux box with multiple nics but that was much more cumbersome that the pfSense experience that I currently use.

Hence my goal here is to pick the brains of the obvious pool of knowledge, to see if there is some way (even undocumented) to disable the header rewrite on inbound port forwarded TCP/SMTP packets. I am hoping that the proprietary routers are an indication that it is the more prevalent mode.

Regards, Graham

Thank you @viragomann, that did the trick!

For anyone who is interested, here are my notes:

On relay, outbound NAT set to Manual
relay rule for 192.168.130.0/24 uses WAN address for NAT
1:1 is setup on relay, mapping x.146 to 192.168.129.11
ip shows as .139

Same as above, except outbound NAT mode set to disabled
no outbound traffic

Reset to first configuration.
Disabled outbound NAT on router
ip shows as .146!

Re-enabled outbound NAT on router, but disabled it for the 129.0/24 network

@viragomann said in Can´t access wan to lan:

@naksu said in Can´t access wan to lan:

what do you think this looks like? :)

Not clear if you really need to open 55000-57000. That's a quite wide range, but you may know, what you're doing here.

probably need to shrink the area

@naksu said in Can´t access wan to lan:

Do i need to make new nat rule if i want access my laptop (lan ip 192.168.0.xxx) to wan ip which will redict it to .200.

Just using the internal IP from LAN is not an option for you?

yes it's on, but I'd like to use a domain name

If you access to destination from the internet by using a hostname you can add a host override to your internal DNS.

Otherwise you can try to go with NAT reflection. You can enable it in the NAT rules or globally in System > Advanced.

Thanks for help, i will try that :)

@jegr

Yeah I am confuse as well. coz my understanding is TLS is the predecessor of SSL. Maybe I don't get it what the client told me.
Screen Shot 2020-12-09 at 6.37.49 PM.png image url)

Aaaaaaaaaaaand found it myself after RTFM... :-)

To anyone else: Interface is set to LAN in my picture, which it shouldn't.

Interface should be WAN, it's translated from the WAN interface that has the virtual IP.

Doh.

@gurpal2000 does this still work? I tried some variations on this theme and none worked. I could never get the alias to stick on the WAN. But if I read the intent correctly, the NAT is taking 192.168.3/24 and translating it to 192.168.3.100/32. So maybe any address in 192.168.3/24 will translate to 192.168.3.100. I eventually had to go with a static assignment to the WAN to get to modem GUI along with a slightly different static NAT. So that needs to flop back and forth between DHCP and STATIC depending on whether you need internet of access to the GUI. OK for debugging I suppose - and what its typically needed for.

If port wasn't open then you wouldn't be able to access it at all. Do a sniff on pfsense when you do you port scan.. Do you have more than 1 wan? Are you running reverse proxy on pfsense?

I take it these site are public - you want to post up one so can see what you mean by slow, etc. If you don't want to post it.. PM me the site and will do some testing from here.