Note: I'm going to make a new post instead of editing my existing one. I did not see an error message when I submit my changes, so I'm going to make a new post documenting my experience with NAT. Okay, so I'm going to document my experience with NAT in pfSense. Let's change the destination to 10.249.1.0/24. Rule 1: Interface: WAN Source: any Destination: 10.249.1.0/24 Translation Address: 10.249.0.0/16 Pinging 10.249.1.100 works and pinging 10.249.2.100 does not work. So, changing the destination to 10.249.2.0/24 makes pinging 2.100 working, but 1.100 does not. I'm going to reset the destination to 10.249.0.0/24 and modify the translation address to 10.249.0.0/24. I'm going to give it a try: Rule 1: Interface: WAN Source: any Destination: 10.249.0.0/16 Translation Address: 10.249.0.0/24 Setting translation address to 10.249.0.0/24 works fine when pinging .1.100 and .2.100. What happens if I set the translation address to just interface address? Setting the first rule to WAN address won't work because pfSense does not seem to reach back to .0.101 when I try to ping .1.100 and .2.100. So it makes sense to think that pfSense will translate the packets back to the originating host's IP address and not the interface address (172.24.9.2). I don't know how that works, but hey, it works. Maybe somebody could explain why using the local /24 LAN subnet works.

That's straight forward. I had made such forwardings several times. Ensure that Pf2 is the default gateway for the server and that a firewall rule on the specified OpenVPN interface is allowing the access and that it matches. Also on Pf1 WAN you need a rule allowing the traffic, of course. @Ilya-V said in Trafic Redirect: added a permissive rule for everything You have to ensure that there is no rule on the OpenVPN tab which matches the traffic. OpenVPN is an interface group including all OpenVPN instances you're running and it doesn't work on interface groups! That's why I wrote "move the rule from OpenVPN...".

Some may slip away into obscurity, but I owe a reply.... lol Just reading this a couple of minutes ago. When I read your last suggestion about anyone else using IP on segment, I sort of cringed. I had looked at the Diag/arp and saw FW mac, but hadnt looked at EdgeRouter due to ssh issue last night. When I logged into router I saw that the network has been sliced to a /27, not /26 as I had thought. Added a usable IP from IPSUB and off and going. Thank you

I set up the DMZplus mode to my laptop. If I SFTP to the laptop, the speeds are atrocious, just like to the netgate device. It must be the modem.

Nat overload is a classic cisco term Also called pat (port address translation) or plain nat as we know it in home appliances.

Is the WAN gateway shown as online on the dashboard? Are you able to ping 8.8.8.8 by the IP address from pfSense to rule out a DNS issue? If the issue is on the VMWare setup the Virtualization section of this forum might be a better place to ask.

First, thanks for the reads and comments. It seems that, upon seeing my WAN Address as 172 and not my IP that something was fishy with the modem. Either ATT or a power cycle reset the modem to block traffic and not pass it all to PFSense. I changed that setting, and we are back in action. I'm sorry to have wasted your time on this, as I assumed my settings on the modem were unchanged.

Hi @netblues, thanks for your response. I agree it would be much easier if I connected to the VPS PFS from the VLANed VM. But the thing is I want to know how to make this using PFS. So let's start with some questions, as I might have gaps of knowledge: Peer-to-Peer (Site-to-Site) OVPN connections: are they bidirectional? If I wanted to NAT Port Forward to this Interface which 'Redirect target IP' should I use? thanks

@Napsterbater said in FTP not working: @anakaoka I have LONG LONG abandoned IIS FTP. I have used Filezilla FTP Server for quite awhile Though it has no capability to use AD/LDAP for user auth. But it does support Implicit and Explicit TLS for FTP, Passive and Active FTP and IPv6. For Passive FTP, just configure a range of Ports and forward those the to server, and configure the External IP in the Server settings. Second this ^ Filezilla was my solution for a while also. It worked great and did exactly this with a range of passive FTP ports. Eventually ditched that Windows system and created a FreeNAS server with secure FTP access similar to the Filezilla. FreeNAS is pretty awesome stuff.

I ended up re-designing how the neighbors interacted and eliminated the need for another set of routes from a second AS. I think one of the IP pools was in conflict, that's no longer the case :)

@powerextreme said in Are the Autocreated ISAKMP rules needed?: Also, why is the loopback address using ISAKMP? It normally isn't, but it's included in the networks for automatic outbound NAT rules, and each entry in that list gets the udp/500 static port rule.

That's what I needed. Thanks.

@netblues said in Multiple virtual IPs, one WAN -- outbound round robin use of IPs possible?: @Airwave and consider random with stickiness since changing ip's between https requests tend to break things badly. Okay, great thank you. I'll test these options :-)

So, after a some CSI I notice that inbound packages where reaching the target machine, the problem was that the Firewall B didnt knew where to sent back the response, so I added a new rule in NAT Outbound for this particular device, and worked like a charm: [image: 1595436390941-0d66b8df-182e-417f-b492-f56c1d24b4d4-image.png] NOTE: Firewall B doesnt use Firewall A gateway, its a "hybrid" VPN.