That would be my guess as well, that it aborted on that rule. Pretty sure the email notifications will alert on those types of things, as well as invalid aliases and the like (those I know appear in the GUI), so you might want to set that up in System/Advanced/Notifications in case it happens again.

Disregard post, problem is unrelated to nat. Web server private IP was banned by pfsense.

@Gertjan yup that is correct. Looks like I found my issue though. Even though I applied the Plex settings numerous times to specify a manual port, it never properly saved I guess.

I reapplied a manual port after about an hour of properly setting the firewall/nat settings how I think they should have been and it stuck this time around. Despite having the same set up when trying to do it before.

So not sure if it was Plex not taking the port or me not waiting long enough after the initial config but it’s all good now.

dns is not port specific.

Internally if you want to post something or read something from mycompany.com doesn't matter what the port is.

On the outside mycompany.com would resolve to your public IP.. The client or url you use is what would add the :xyz (port)

So externally you end up hitting https://1.2.3.4:789/blahblah

Internally it would just resolve to 192.168.0.2, so now your would really be going to https://192.168.0.2:xyz/blahblah

The dns is just what the fqdn resolves to.. Your client or application or whatever, bookmark, etc. that creates the url would still have its port in it.

If your vpn client is using your internal dns and resolves mycompany.com to 192.168.0.2 that is where it would go.

That should not conflict.

If you have multiple internal subnets connected to pfSense interfaces, check if the webserver is accessible from another subnet.
Otherwise use Diagnostic > Packet Capture on WAN to see if packets arrive on your WAN interface.

@pooperman

Maybe have a look here
https://forum.netgate.com/topic/158485/access-to-public-ip-from-inside

/Bingo

Is reflection enabled in the NAT rule? You could try restarting the router, I've had to do that on rare occasions.

So I am clear.. You have some IOT device

192.168.0.X

And he tries to talk to 192.168.0.5, which you want to send that to 172.168.0.200, but make the source 10.254.0.5..

For starters you would have to have a 192.168.0.5 vip on pfsense. And then to translate it to 10.254.0.5 you would need another vip..

edit: ok did a simple test of this.. I create a port forward on my lan interface, you could create a vip for your IP.. That said hey if you go to 192.168.9.253 on port 5353 send it to 172.16.200.2

portfoward.png

I then created an outbound nat that said hey if your sending to 172.16.200.2 - use the vip IP 192.168.100.2 (I already had this for talking to my modem)..

outbound.png

I then generated simple dns query on port 5353, easiest way to just generate some traffic to specific port on specific IP..

Sniffing on wan, since that is where it would go trying to get to some unknown IP on my network.. But with yours you would have a vpn to send it down, etc.

So you can see the traffic was sent to 172.16.200.2 from my 192.168.100.2 address..

12:58:32.127354 IP 192.168.100.2.16046 > 172.16.200.2.5353: UDP, length 49 12:58:37.139187 IP 192.168.100.2.16046 > 172.16.200.2.5353: UDP, length 49 12:58:42.150230 IP 192.168.100.2.16046 > 172.16.200.2.5353: UDP, length 49

So yes I would think what your wanting to do is possible just in the gui - but you would have to create different vips for both your inside 192.168.0.x addresses and your 10.200 addresses

Maybe this is clearer: If I

create a new interface in pfSense bridge it to the WAN interface start to move routable IP addresses from 1:1 NAT (currently pointing to DMZ private addresses) and place them on the bridge will this work?

Or will pfSense freak out if IPs from a subnet are on one interface and the others are being 1:1 Natted to another interface simultaneously?

Pfsense doesn't care what the source IP is.. I suggest again - you sniff.

On pfsense lan sniff when you send data from the .10 address. Do you see pfsense send the packet - do you get a response?

If your saying it works from .12, but not .10 - pfsense has no care what the source is - it would treat the data exactly the same.. Other than something in proxmox.

So sniff and see exactly what is going on..

ok i will do as you say and then i will write on sophos to ask them how to do it on their end.
Thank you

@fluentsoftware
Install the HAProxy package and configure the server.

@mikeinnyc said in Internal websites are not working:

server: 127.0.0.53
Address: 127.0.0.53#53

Well your asking some local caching dns with that IP, which is loopback - so where does it point - clearly not pfsense, if you have the override setup correctly.

Use your fav dns tool, dig, host, nslookp and actually ask pfsense - do you get your override?

Do a specific directed query to pfsense IP.

This is not rocket science. You set a record in the dns software, unbound - if you ask unbound that is what it will return.. If you don't ask it, your going to get the answer from where your asking some public dns..

@dhoffman98 said in Defining restricted dynamic ports for outbound NAT?:

Then when the remote site responds back to the firewall, it sends its traffic on 5060, and then Snort intercepts it because it's on the SIP port and the pre-proc tests it for SIP rules

Not sure if that is really the case, but yes, you can add an outbound NAT rule to translates the source port in case of 5060 to another one out of a given range. That is one of the things outbound NAT rules usually can do.