Thanks for the reply, well its seems that it got fixed by it self, i think it was getting greylisted by gmail refusing to talk to my email server on port 25 currently i run Proxmox mail gateway as my smart host and my backend a zimbra server which sends though proxmox, The internet is business with 5 static IPs, first time i see on the log connection lost on gmail servers. I have seen this on other servers but its either its dead or refusing to talk to me. As the curious part i could send to any other domain besides gmail which made me think that its not a ISP issue .But thank you again for the help.

...of course the morning after I posted this, I had another idea on a place to check.
do not nat.jpg

In Hybrid Outbound NAT mode, it looks like adding a rule that matches the interface I want to exclude and then checking the "Do not NAT" option for that rule works as you might expect. 😄

Before posting, I was looking for some list of interfaces that were NAT'd or some per-interface firewall rule to disable. Since Hybrid Outbound NAT works so well, I forget it is there and that I can modify the ruleset. I've even used it before to make the local NAT port static for a particular device 🤦

@netblues that looks like an interesting alternative. I'm running the pi-hole on a server with other stuff so it won't remove a machine from the network, but it might make the config easier.

🤐

Do a tcpdump outside the host on the router or connect another computer to the hosts eth0. Possibly the host is blocking the traffic.

Thanks for the reply, so i have another pfSense box and same issue with the newest version

2.4.5-RELEASE-p1 (amd64) built on Tue Jun 02 17:51:17 EDT 2020 FreeBSD 11.3-STABLE

I have yes, that is the document I initially followed, this is my configuration;

EDIT: I just realised the pictures weren't visible, I have updated the links :)

alt text

alt text

alt text

forgot to post back it was an issue with the lSP they had the NAT on the modem and i was going crazy

May be related to this?

https://redmine.pfsense.org/issues/7727#change-41170

I'll query the ISP on what are they doing there. Doubt they'll talk... but that is a different story.

Just as a quick follow up: If you pay for your own public IP to get forwarded to you, they should have no trouble setting their UBNT POP the way you want. Otherwise what's the gain in paying for something you can't successfully use all the way you want? ;)

Your more than welcome - glad you got it sorted how you wanted.

@vanst

Is this some kind of Chinese miniPC?
Is the latest BIOS on it?
It could be a compatibility issue in the ACPI firmware code.

@vanst
"module_register_init: MOD_LOAD (vesa, 0xffffffff812d9960, 0) error 19"

https://forums.freebsd.org/threads/vesa-wont-load.59462/

Unfortunately you can't port forward across an IPsec tunnel without the destination side sending all traffic over IPsec (0.0.0.0/0 peer or default route with VTI). This is because IPsec doesn't respect reply-to currently. It isn't possible on enc0 and it doesn't function on VTI interfaces.

To do what you are after, you could use OpenVPN, or it may work if you proxy the traffic using haproxy, so that the connection is terminated on pfSense A and then A makes a fresh connection to B as a proxy, which could be nudged through IPsec.

@Marv21 No, there are no vlans. The host has two physical NICs.

@fgs said in Yet Another Outbound " NAT " Newbie Topic... I thank you!:

The classic problem is, all traffic returning from the servers under "LAN" go out with the same unified "WAN" IP address. That's the default outbound "NAT" behavior.

No, that only applies to outbound traffic initiated by your local devices.
Response packets on requests from WAN come back from the IP the requests were sent to if your WAN interface is set up correctly.

I am not familiar with Omegle, but maybe it uses the h.323 video conferencing standard in the sticky at the top of this forum?

@DaddyGo thanks for the confirmation.
But again, those aren't the real IP (and anyway, forced by my provider), so nothing I can do here.

@ralftar Thank you very much. This works for me!