https://docs.netgate.com/pfsense/en/latest/recipes/rfc1918-egress.html

@viragomann I'll play with it and see what we can do with it. Thank you :)

Figured it out. I'm an idiot! Needed to enable remote access in media server.

@viragomann WORKED! TYVM -

dig www.dsffdgdfhdfhsdfsdgdfshdfghdsfds.com @8.8.8.8

; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> www.dsffdgdfhdfhsdfsdgdfshdfghdsfds.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62363
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.dsffdgdfhdfhsdfsdgdfshdfghdsfds.com. IN A

;; AUTHORITY SECTION:
com. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1600953019 1800 900 604800 86400

;; Query time: 171 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Sep 24 13:10:34 UTC 2020
;; MSG SIZE rcvd: 141

Internal DNS log:

Sep 24 09:10:34 dnsmasq[25829]: query[A] www.dsffdgdfhdfhsdfsdgdfshdfghdsfds.com from 192.168.11.1
Sep 24 09:10:34 dnsmasq[25829]: forwarded www.dsffdgdfhdfhsdfsdgdfshdfghdsfds.com to 2604:6000:1529:8082:9c5d:c6ff:fe2a:ae3b
Sep 24 09:10:34 dnsmasq[25829]: validation result is SECURE
Sep 24 09:10:34 dnsmasq[25829]: reply www.dsffdgdfhdfhsdfsdgdfshdfghdsfds.com is NXDOMAIN

No.

That is why I suggested NAT for all private space.

@AudiAddict said in DNS redirect (NAT) doesn't work 100 procent:

But no difference yet.

Did you clear your states.

I just showed you this working..

Would you recommend doing this differently?

Yes.. Put your pihole on 1 vlan! Allow your different vlans to talk to pihole on IP and 53 tcp/udp. The whole point of a firewall is to block/allow specific traffic between vlans. Not everything - unless that is what you want. But you want your clients to talk to your pihole, so allow that traffic.. Placing a device on every vlan (multihomed) compromises the security of your network. If the pihole was compromised then it has complete access to every other network it has an IP on without having to go through your firewall.

It can also lead to asymmetrical routing problems.

If you want your redirect to work without having to do any nat reflection stuff - then put it on a vlan all by itself.. So now all traffic even when redirected will look like it came back from where the client sent it.

@viragomann Thanks, I finally found the last problem, there was an old NAT rule on my model/router, which was redirecting 80/443. Thanks for your guys help. It is working now.

@johnpoz not to hijack this thread, I created a thread for my specific problem. But to answer your question, I have a cable modem router, with the pfSense set as the DMZ.

https://forum.netgate.com/topic/156840/need-help-creating-my-first-port-forwarding-rule-as-it-doesn-t-work

How is all this stuff connected together?
Give us some more information / share your configuration.

-Rico

@Apocracy no it works, i am using it right now, i think right now only 2 or 3 servers support port forwarding, Canada and Germany don't work, they said they are working on a fix

@compsmith said in "reset all states" box does not seem to work as advertised.:

I need to bump this issue because I am still experiencing issues with all the suggestions given.

Does anyone else have any suggestions how i prevent this from happening as this is still a issue

@fm808 Cool ! Glad you figured it out :]

@sanjibgupta said in How to nat a IP range?:

In pfsense 2.4.4

Hi,

The developers, they don’t work hard for that, because you get stuck one on an ancient version.
Please upgrade your system and ask your question again.
https://docs.netgate.com/pfsense/en/latest/releases/2-4-5-p1-new-features-and-changes.html
😉

Even for remote access you don't need port forwards for your ring stuff. For access to whatever HA you running - ok.. But that would be a bad idea! If you need remote access to some service your running, then vpn into your network and access it that way.

The only time you should allow for unsolicited inbound access, ie a port forward would be services you want to be open to the public.. Say some public web server, or plex server, or minecraft server, etc. ntp server.

If you are going to be the only one to access it - like a HA service, then vpn would be the more secure solution.