@marcg I agree manipulation of any dns should be opt in for sure.. If I want you to filter stuff, or help with my typo's etc.. I would point to the IP specifically that you offer those services up on. If you offer such service, I should be able to point to any other dns I wan't and your not going to mess with the traffic - shouldn't have to opt-out if not pointing to your dns that is for damn sure. Default opt-in is rarely a good thing for anything.. No matter what services they are providing - the user should have to opt-in in some way if you ask me. One of the pet peeves I have with doh - many of these browsers like to turn it on by default, which is not the way to go about it.. If its so good inform the users and they will enable it if they want too. If you turn it on by default - tells me its not so good of a thing.. Seems like to me your trying to sneak it in under the radar.

I resolved the issue but factory resetting the Netgate device and restoring the config.

Figured it out!! It was a docker container problem. Docker container was set to use ipvlan, so changed to macvlan. And changed host access to custom networks to enabled. Now I can post from my docker container. Ok.. now trying to figure out how to access emby from wan.

@Bob-Dig said in Bug outbound nat after upgrade in 24.11: While I have encountered problems with the implementation in CE, I don't see those in Plus. Maybe check or delete and recreate the aliases, they can make problems too. Reply thanks for the blog page After reset/kill all state, the outbound nat is ok, after reboot, also ok

@idgeng said in 2100, telstra and tplink vr2800 in Australia: TPLInk VR 2800 modem in bridged mode It might be so that Telstra expects the MAC address of the TPLink device? And when you connect in bridge mode, it get's the MAC of pfsense instead. Solution would be to spoof the MAC in pfsense... Go to Interfaces > WAN and enter the TPLink MAC address in this field, and click save: [image: 1733216535536-80f63931-91b8-4d12-8c8b-c4b6b387fd9d-image.png]

@Antibiotic Really? And how would any of those two things be related to your outgoing ports?

@johnpoz / @viragomann / @Gblenn Thanks for all your help. I set it up that way and it was much easier, worked right away. I appreciate the time you spent helping me out on this :)

@slu Yes, exactly, if you have not changed anything in pfsense you have your default Allow LAN to any rule, unless you have removed that... Usually this rule is at the very bottom of the rules list under LAN...

@FoolCoconut said in Wireguard + Port Forwarding = Return Traffic exiting through WAN???: Holy f**k. The problem was an any/any rule in the Wireguard unasigned tunnel firewall rule list. Even though the AirVPN WG interface was assigned, group rules are evaluated first... Hope this helps someone else as well. @FoolCoconut THANK you. ive been trying to figure this out for a very long time.

@The-Party-of-Hell-No said in Outgoing LAN only OK to ISP GW: Wondering about NAT outbound and whether you have rules allowing LAN subnet out other gateways/interfaces? Reply It’s definitely worth checking if you have NAT outbound rules set up to allow traffic from your LAN subnet to go out through the other gateways or interfaces.

@Stefanix said in Modem O&M behind NAT reachable, but why??: Private IP destinations shouldn't traverse outgoing NAT, right? Why do you think that.

@cedrictang I am assuming the tunnel is working. Have you assigned an interface to the tunnel (there is a gateway)? NAT outbound manual rule - direct (give permission) the VLAN out the VPN tunnel. Firewall - rules - (the VLAN Interface) create a pass rule just above the all rule or edit the all rule by opening the advanced menu and at the bottom change the gateway to the IPSEC gateway. If you don't edit the all rule you should disable it. I tend to leave things alone as much as possible so I can later understand the changes I made. I think this will get you there.

@dguy pretty sure any $20 dumb switch would solve your problem if your just short a port.. Connect the current cable that runs to pfs1 wan to a dumb switch, also connect pfs2 wan port to this switch.. That would be a much better solution than trying to setup a bridge and then have to firewall on the bridge, etc. etc. I would do that vs complicating my main pfsense setup..

@marcelosb these are local networks - renumber one.

@viragomann Thanks for the suggestion. I'm using an XCP-NG host. Just found some documentation that explains how to install xen tools and the removal of tx checksum offloading. Not sure which did it, I suspect the latter. https://docs.xcp-ng.org/guides/pfsense/ Issue resolved.

@Antibiotic All of the PiHoles are on VLAN42. PiHole services VLANS 2,42,100 and 129.

PT_BR: Hoje (Exatamente agora para ser mais especifico), consegui resolver o problema que me assombrou por longos 8 meses, e vim compartilhar com vocês o que resolveu: imagem¹ [image: 1730082689461-6b030714-f352-433c-8bbe-f5f714c7081c-image.png] Criei 2 regras de NAT Port Forward escutando na interface PPPoE Server e simplesmente funcionou (era tão simples T-T). Me sinto tão burro... EN_US: Today (Right now to be more specific), I managed to solve the problem that haunted me for 8 long months, and I came to share with you what solved it: image¹ I created 2 NAT Port Forward rules listening on the PPPoE Server interface and it simply worked (it was so simple T-T). I feel so dumb...