In what interface is it comming in ? Wan or local ? Do you only need to direct it to a specific service (PORT) , Ie. like HTTP/HTTPS ??

@SimpleTechGuy said in How to route rfc1918 private ip on WAN net to IP on LAN net: pfsense is actually a virtual machine on the kvm. Got it set this way so I still have internet to kvm and can reboot remotely the pfsense if something goes wrong. Mine runs on KVM as well. It gets the public IP via PPPoE and does the whole routing stuff here. It does its job for almost three years now this way without any trouble.

@jmcdiarmid_uk said in Passive FTP Server: What is the easiest way to do this with pfsense? The FTP server should be part of the 'network above' pfSense, somewhere in the WAN address range. Typically, by using a ISP modem, as these expose the WAN IP on device behind it. Check out the how a passive FTP is set up behind a NAT : it's a FTP server settings option. Nothing special has to be done the NAT (pfSense) device, except the port range NATting. If your passive FTP server does not have this option, it is completely useless behind a NAT, and can be accessed only from it's 'LAN' .

@Derelict Thank you. When I replied, I didn't have access to the device, but looking at it now, if I'm understanding everything correctly, I changed the Interface setting of the Pfsense Packet Capture from WAN to OPT, which is the the port the server is plugged into (as labeled on the device and afaik I have not changed the label anywhere in software). This yielded no traffic. However, when I check the LAN interface, I can see the expected traffic. So I guess that means it's making it past the firewall successfully but may or may not have a route to the right place. As I noted in my OP, I did move the OPT interface to be on the same VLAN as the LAN interface (so I can access the server by direct local IP from my internal network - works fine). I am in the process of double checking those settings. Also still going over the Troubleshooting guide linked above.

https://docs.netgate.com/pfsense/en/latest/recipes/rfc1918-egress.html

@viragomann I'll play with it and see what we can do with it. Thank you :)

Figured it out. I'm an idiot! Needed to enable remote access in media server.

@viragomann WORKED! TYVM - dig www.dsffdgdfhdfhsdfsdgdfshdfghdsfds.com @8.8.8.8 ; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> www.dsffdgdfhdfhsdfsdgdfshdfghdsfds.com @8.8.8.8 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62363 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.dsffdgdfhdfhsdfsdgdfshdfghdsfds.com. IN A ;; AUTHORITY SECTION: com. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1600953019 1800 900 604800 86400 ;; Query time: 171 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Sep 24 13:10:34 UTC 2020 ;; MSG SIZE rcvd: 141 Internal DNS log: Sep 24 09:10:34 dnsmasq[25829]: query[A] www.dsffdgdfhdfhsdfsdgdfshdfghdsfds.com from 192.168.11.1 Sep 24 09:10:34 dnsmasq[25829]: forwarded www.dsffdgdfhdfhsdfsdgdfshdfghdsfds.com to 2604:6000:1529:8082:9c5d:c6ff:fe2a:ae3b Sep 24 09:10:34 dnsmasq[25829]: validation result is SECURE Sep 24 09:10:34 dnsmasq[25829]: reply www.dsffdgdfhdfhsdfsdgdfshdfghdsfds.com is NXDOMAIN

No. That is why I suggested NAT for all private space.

@AudiAddict said in DNS redirect (NAT) doesn't work 100 procent: But no difference yet. Did you clear your states. I just showed you this working.. Would you recommend doing this differently? Yes.. Put your pihole on 1 vlan! Allow your different vlans to talk to pihole on IP and 53 tcp/udp. The whole point of a firewall is to block/allow specific traffic between vlans. Not everything - unless that is what you want. But you want your clients to talk to your pihole, so allow that traffic.. Placing a device on every vlan (multihomed) compromises the security of your network. If the pihole was compromised then it has complete access to every other network it has an IP on without having to go through your firewall. It can also lead to asymmetrical routing problems. If you want your redirect to work without having to do any nat reflection stuff - then put it on a vlan all by itself.. So now all traffic even when redirected will look like it came back from where the client sent it.

@viragomann Thanks, I finally found the last problem, there was an old NAT rule on my model/router, which was redirecting 80/443. Thanks for your guys help. It is working now.

@johnpoz not to hijack this thread, I created a thread for my specific problem. But to answer your question, I have a cable modem router, with the pfSense set as the DMZ. https://forum.netgate.com/topic/156840/need-help-creating-my-first-port-forwarding-rule-as-it-doesn-t-work

How is all this stuff connected together? Give us some more information / share your configuration. -Rico

@Apocracy no it works, i am using it right now, i think right now only 2 or 3 servers support port forwarding, Canada and Germany don't work, they said they are working on a fix

@compsmith said in "reset all states" box does not seem to work as advertised.: I need to bump this issue because I am still experiencing issues with all the suggestions given. Does anyone else have any suggestions how i prevent this from happening as this is still a issue