Not sure if possible with udp.. And have never tried it with tcp either.. It is listed as an option, but not sure on the details of that option. We can call in maybe @Derelict he would have better understanding here of these options. I would think ;)

@jacquesh said in webrtc: basically, anything but Symmetric NAT I found this yet, pls. read Jimp's response (second answer) about symmetric NAT, so you're not in a good position,.... https://forum.netgate.com/topic/57370/symmetric-nat -a correct description of the VMS is required to assign static ports (I would ask this from the vms developers) -or as I suggested 1: 1NAT

check this out, it is a really easy way to get your DLNA server reachable though your VPN connection https://youtu.be/dx2gHOnEpo4

@viragomann ok so delete the lan rule and on the wan rule just enable the nat refelction. Ill try that then. Mat

@derelict Dumb fix fixed it, had to remake the NAT rules for whatever reason.

@viragomann Thank you, i'll try that quickly. For information, one ping is ok and after nothing but with this comportement i think the conf seems be correct....

@kiokoman Awesome. That's what worked and needed. Grateful for that. Happy new year :)

Since your accessing via IP, dns had nothing to do with it. But a wrong setting for your lan network in openvpn settings yeah that would do it. 10.0.0.1/24 is a host address not a network. So yeah that wouldn't of worked.

@mrpatrick If the outer firewall connects to the internet it would need to NAT local addresses.

Thank you both. I knew I had missed something, Cheers. To anyone else reading this. on an ubuntu server hosting a service such as plex or emby the UFW entry I made was as follows: sudo ufw allow in on <your interface used> to any port 32400 proto <what the service protocol required> comment '< in this case its for plex, "plex Externa connection">' Thank you very much again, please mark this as closed.

@cke Except for the first, all your NAT rules not needed / related to the access of a.site.net. You can remove them. Again : right after, when you installed pfSense, before you started to change / add things, the access to a.site.net was working fine. Side thought : really ? a http (non SSL) site ? Do they still exist ?

@johnpoz I was reading this old thread and was amazed that the reverse proxy wasn't mentioned earlier. Altough i have some issue related to this post as well. Let me explain my situation: I am 1 step further i set up a reverse proxy that does a lot all on port 443. It hase several web services on seperate servers behind it also SSH some protected with a client cert, and i got even RDP working in sort of a poor man's RDP gateway so yes i can RDP to multiple machines by connecting to the same address. Some fictive examples: abc.example.com:443 -->webserver 1 xyz.example.com:443 -->webserver 2 def.vpn.example.com:443 --> webserver 3 also you need a client cert to connect. aaa.ssh.example.com:443 --> ssh to a server rdp.example.com:443 --> rdp to several servers, when you connect your user name should be formatted: servername\username Now all works as designed, but when i am on my lan i want to connect to to the same addresses from intern as i do from outside. For some reason nat reflection broke after some update of pfSense and never got it working again. When i connect from inside it is reflected to the right server but it serves the certificate of my isp's modem?? Which is strange because that cert is only in the modem not in the pfSense box. I enabled HTST in all connections in the reverse proxy so because of the cert issue i cannot connect from inside (if i turn that of it works with the wrong cert so you get nasty messages). Also using the internal DNS trick to skip the NAT reflection hack all together will not work because i am used to use all services on port 443. However all servers have their services configured on all kind of ports so i have to start remembering what to connect on which port when using the DNS solution. Any idea how comes my modem cert is showing when using NAT refelection? O yeah one last important thing the modem is not in bridge it is just routing as well and i have put my pfsense box in DMZ of the modem to forward everything to the pf Sense box and let that do it's thing. Like i said it worked for years and broke with pfSense version 2.4.5.

@johnpoz then please check this topic https://forum.netgate.com/topic/159354/pfsense-2-5-0-a-20201127-0650-nat-issues/1 and you will get fresh new expirience

@jmaurin said in Port forwarding nto working in LAN source: But I may know why. I'm using 2 NAT's (unfortunatelly). I can not think of anything, what your former OpenWRT could have done here to make it work without knowing your real public IP. If abc.domain.com resolves to the ISP routers external IP, NAT reflection must be done at the external router. If that is not possible and you cannot use split DNS your only option will be to clone your NAT rules to your internal interface(s). To make it work if both, server and client, are connected to the same interface of pfSense you will additionally need an outbound NAT rule for this server.

Mmm, that is odd I would not expect you to be able to do that. It would be much better to run a separate link to the ISP from the Fritz box. Otherwise you might be able to bridge the WAN interface to the link to the Fritzbox. That's probably not going to work if it's WAN and LAN. Steve

@davidfungf Basically the first match wins. So if you put your second rule to the top of the rule set it will match for the specified IP and the other one for all others.