@gertjan Thanks again for taking the time to communicate your thoughts. I have no aversion whatsoever about the placement of a mailserver in full view of the Internet. The choice to place it behind a router is purely the desire to have a device that can turn a single public IP address into a multi-destination relay of traffic. Different protocols making use of that public IP address are better served by specific equipment/software on the inside. As you point out, all inbound TCP/SMTP 25 traffic has no requirement or logical reason to have the packet headers rewritten (disguised), ie inbound NAT is not even the key factor here. Maybe an elaboration would help you to understand what my mind is processing. First location - one public IP address. The boundary router is a AR129 Huawei product supplied by the ISP. There are several internal machines using the connection to the internet. There is a mailwash server using the WAN IP as a MX address in DNS. The direction of TCP/SMTP 25 packets is done by settings within that router. Those settings are; NAT > Port Forwarding > TCP/SMTP 25 > Mailserver 25. Those packets are delivered to the mailserver without rewriting the packet header. That behaviour is not an optional setting. That port forwarding is not possible by any other means in that router. It might be reasonable to assume that TCP/SMTP 25 inbound packets are not having the headers rewritten by design, ie, it cannot be deemed necessary. Second location - 1 primary public IP address + subnet/29 (8) mapped IP addresses. The boundary router is a AR129 Huawei product (and the primary WAN IP address) There is another boundary router being the pfSense virtual device; It has 6 nics, 4 x WAN that service 4 of the 5 available IP addresses in the subnet/29 block, 1 x LAN address that is on the 192.168/24 subnet, 1 x DMZ address that is on the 10.179/24 subnet. If I use the AR129 Huawei (NAT > Port Forwarding) = NO SMTP rewritten headers. BUT that is just one public address, without rewritten inbound headers. If I use the pfSense router (NAT > Port Forward) = all SMTP headers are rewitten. BUT that handles 4 public IP addresses, therein is the trade-off. I did think I was pretty smart to get a configuration that could pass 4 public IPs through to a dynamic multi-dimensional facility. The capability of the pfSense router was not rated so much for protection from the internet, as it was for the pure compactness and configurability of the routing. I had variously dabbled with a Linux box with multiple nics but that was much more cumbersome that the pfSense experience that I currently use. Hence my goal here is to pick the brains of the obvious pool of knowledge, to see if there is some way (even undocumented) to disable the header rewrite on inbound port forwarded TCP/SMTP packets. I am hoping that the proprietary routers are an indication that it is the more prevalent mode. Regards, Graham

Thank you @viragomann, that did the trick! For anyone who is interested, here are my notes: On relay, outbound NAT set to Manual relay rule for 192.168.130.0/24 uses WAN address for NAT 1:1 is setup on relay, mapping x.146 to 192.168.129.11 ip shows as .139 Same as above, except outbound NAT mode set to disabled no outbound traffic Reset to first configuration. Disabled outbound NAT on router ip shows as .146! Re-enabled outbound NAT on router, but disabled it for the 129.0/24 network

@viragomann said in Can´t access wan to lan: @naksu said in Can´t access wan to lan: what do you think this looks like? :) Not clear if you really need to open 55000-57000. That's a quite wide range, but you may know, what you're doing here. probably need to shrink the area @naksu said in Can´t access wan to lan: Do i need to make new nat rule if i want access my laptop (lan ip 192.168.0.xxx) to wan ip which will redict it to .200. Just using the internal IP from LAN is not an option for you? yes it's on, but I'd like to use a domain name If you access to destination from the internet by using a hostname you can add a host override to your internal DNS. Otherwise you can try to go with NAT reflection. You can enable it in the NAT rules or globally in System > Advanced. Thanks for help, i will try that :)

@jegr Yeah I am confuse as well. coz my understanding is TLS is the predecessor of SSL. Maybe I don't get it what the client told me. Screen Shot 2020-12-09 at 6.37.49 PM.png image url)

Aaaaaaaaaaaand found it myself after RTFM... :-) To anyone else: Interface is set to LAN in my picture, which it shouldn't. Interface should be WAN, it's translated from the WAN interface that has the virtual IP. Doh.

@gurpal2000 does this still work? I tried some variations on this theme and none worked. I could never get the alias to stick on the WAN. But if I read the intent correctly, the NAT is taking 192.168.3/24 and translating it to 192.168.3.100/32. So maybe any address in 192.168.3/24 will translate to 192.168.3.100. I eventually had to go with a static assignment to the WAN to get to modem GUI along with a slightly different static NAT. So that needs to flop back and forth between DHCP and STATIC depending on whether you need internet of access to the GUI. OK for debugging I suppose - and what its typically needed for.

If port wasn't open then you wouldn't be able to access it at all. Do a sniff on pfsense when you do you port scan.. Do you have more than 1 wan? Are you running reverse proxy on pfsense? I take it these site are public - you want to post up one so can see what you mean by slow, etc. If you don't want to post it.. PM me the site and will do some testing from here.

That would be my guess as well, that it aborted on that rule. Pretty sure the email notifications will alert on those types of things, as well as invalid aliases and the like (those I know appear in the GUI), so you might want to set that up in System/Advanced/Notifications in case it happens again.

Disregard post, problem is unrelated to nat. Web server private IP was banned by pfsense.

@Gertjan yup that is correct. Looks like I found my issue though. Even though I applied the Plex settings numerous times to specify a manual port, it never properly saved I guess. I reapplied a manual port after about an hour of properly setting the firewall/nat settings how I think they should have been and it stuck this time around. Despite having the same set up when trying to do it before. So not sure if it was Plex not taking the port or me not waiting long enough after the initial config but it’s all good now.

dns is not port specific. Internally if you want to post something or read something from mycompany.com doesn't matter what the port is. On the outside mycompany.com would resolve to your public IP.. The client or url you use is what would add the :xyz (port) So externally you end up hitting https://1.2.3.4:789/blahblah Internally it would just resolve to 192.168.0.2, so now your would really be going to https://192.168.0.2:xyz/blahblah The dns is just what the fqdn resolves to.. Your client or application or whatever, bookmark, etc. that creates the url would still have its port in it. If your vpn client is using your internal dns and resolves mycompany.com to 192.168.0.2 that is where it would go.

That should not conflict. If you have multiple internal subnets connected to pfSense interfaces, check if the webserver is accessible from another subnet. Otherwise use Diagnostic > Packet Capture on WAN to see if packets arrive on your WAN interface.

@pooperman Maybe have a look here https://forum.netgate.com/topic/158485/access-to-public-ip-from-inside /Bingo

Is reflection enabled in the NAT rule? You could try restarting the router, I've had to do that on rare occasions.

So I am clear.. You have some IOT device 192.168.0.X And he tries to talk to 192.168.0.5, which you want to send that to 172.168.0.200, but make the source 10.254.0.5.. For starters you would have to have a 192.168.0.5 vip on pfsense. And then to translate it to 10.254.0.5 you would need another vip.. edit: ok did a simple test of this.. I create a port forward on my lan interface, you could create a vip for your IP.. That said hey if you go to 192.168.9.253 on port 5353 send it to 172.16.200.2 [image: 1605726180443-portfoward.png] I then created an outbound nat that said hey if your sending to 172.16.200.2 - use the vip IP 192.168.100.2 (I already had this for talking to my modem).. [image: 1605726245847-outbound.png] I then generated simple dns query on port 5353, easiest way to just generate some traffic to specific port on specific IP.. Sniffing on wan, since that is where it would go trying to get to some unknown IP on my network.. But with yours you would have a vpn to send it down, etc. So you can see the traffic was sent to 172.16.200.2 from my 192.168.100.2 address.. 12:58:32.127354 IP 192.168.100.2.16046 > 172.16.200.2.5353: UDP, length 49 12:58:37.139187 IP 192.168.100.2.16046 > 172.16.200.2.5353: UDP, length 49 12:58:42.150230 IP 192.168.100.2.16046 > 172.16.200.2.5353: UDP, length 49 So yes I would think what your wanting to do is possible just in the gui - but you would have to create different vips for both your inside 192.168.0.x addresses and your 10.200 addresses

Maybe this is clearer: If I create a new interface in pfSense bridge it to the WAN interface start to move routable IP addresses from 1:1 NAT (currently pointing to DMZ private addresses) and place them on the bridge will this work? Or will pfSense freak out if IPs from a subnet are on one interface and the others are being 1:1 Natted to another interface simultaneously?