@bgillette said in Simple internal NAT - Can't port forward on internal LAN: well i had my NAS admin exposed so i could access it remotely Would never in a million years expose nas admin to the public internet.. If you can not lock down forward to a known source IP, say your work, or where you remotely admin from.. Then VPN into to do your remote administration.

Perhaps use proper DNS instead?

Hmmm, what was system default set too? Mine is disabled - but it defaults to what pure nat or nat+proxy? I really don't see how that would of come into play on a different interface.. Can try and duplicate it - what setting did you have in system, and can set mine to that and then look at the exact rules being created..

@hotshottech said in Access Back-haul Radios: I got it going…..here are the rules that got me there. Thanks guys for all the help....see attached [image: Post2.png] [image: Post2.png_thumb] [image: post3.png] [image: post3.png_thumb] Hi! I also have a same problem... ISP Router Modem (DHCP) 192.168.2.1-RADIO(192.168.30.X)-RADIO(192.168.30.Y)-PFSENSE(192.168.2.1) sadly, can't see the attached files...

@mike1818 (Replying to my own post) There is a problem with the PABX. Retried it and saw outgoing traffic from the pfSense to the PABX which is acting like there is no traffic. Sorry for bothering.

Thanks, I'll write tomorrow as I check it out.

Thanks, I check everything again and you are right, this is debian fault, not pfsense

Thanks for the reply, well its seems that it got fixed by it self, i think it was getting greylisted by gmail refusing to talk to my email server on port 25 currently i run Proxmox mail gateway as my smart host and my backend a zimbra server which sends though proxmox, The internet is business with 5 static IPs, first time i see on the log connection lost on gmail servers. I have seen this on other servers but its either its dead or refusing to talk to me. As the curious part i could send to any other domain besides gmail which made me think that its not a ISP issue .But thank you again for the help.

...of course the morning after I posted this, I had another idea on a place to check. [image: 1594572767302-do-not-nat.jpg] In Hybrid Outbound NAT mode, it looks like adding a rule that matches the interface I want to exclude and then checking the "Do not NAT" option for that rule works as you might expect. Before posting, I was looking for some list of interfaces that were NAT'd or some per-interface firewall rule to disable. Since Hybrid Outbound NAT works so well, I forget it is there and that I can modify the ruleset. I've even used it before to make the local NAT port static for a particular device

@netblues that looks like an interesting alternative. I'm running the pi-hole on a server with other stuff so it won't remove a machine from the network, but it might make the config easier.

Do a tcpdump outside the host on the router or connect another computer to the hosts eth0. Possibly the host is blocking the traffic.

Thanks for the reply, so i have another pfSense box and same issue with the newest version 2.4.5-RELEASE-p1 (amd64) built on Tue Jun 02 17:51:17 EDT 2020 FreeBSD 11.3-STABLE

I have yes, that is the document I initially followed, this is my configuration; EDIT: I just realised the pictures weren't visible, I have updated the links :) [image: ACtC-3f0yM9YbfffdsBJebqtExpGS45AR4Qdmlttc4Rp0R0XM9cO5R-ImoE1zMffrQZBY7GC0LPmgiogMRtISKhwcbN4MgXH5Vj2iYEfIy-Mj78qSNR4ELFvjcx3LHq0ohtMTnVUhvM5RGnVe4AJL-JK8jDC=w847-h937-no?authuser=0] [image: ACtC-3fpZ5pjsHONW-BB0XSrBZ1Ln_P8nKiSOrr673zv866qzZr7icFa22Zq7_RKnqPOZLrJ87293jGWiqVy_HBHAxa8JUdc1lnUcGm5PdiwwL_ZGa5W-RN5dij_wWPPj63M7HTooXyb-1RkZreJT1HXrmd2=w1156-h889-no?authuser=0] [image: ACtC-3epJJxEezCM_CPGALuxLXdHRqQOd9mjpUFlONAnPfJW-4jA-N7G0zU9XWkXsOfEsInBX7hAM9f5oJ46YaEDBh4ZWu47k8beuDGg8HASw6vkb6rv5RgpFE6I7tjTchHVF3JAALCrg-Wp5MADHo-14cBZ=w1149-h826-no?authuser=0]

forgot to post back it was an issue with the lSP they had the NAT on the modem and i was going crazy

May be related to this? https://redmine.pfsense.org/issues/7727#change-41170

I'll query the ISP on what are they doing there. Doubt they'll talk... but that is a different story. Just as a quick follow up: If you pay for your own public IP to get forwarded to you, they should have no trouble setting their UBNT POP the way you want. Otherwise what's the gain in paying for something you can't successfully use all the way you want? ;)

Your more than welcome - glad you got it sorted how you wanted.

@vanst Is this some kind of Chinese miniPC? Is the latest BIOS on it? It could be a compatibility issue in the ACPI firmware code. @vanst "module_register_init: MOD_LOAD (vesa, 0xffffffff812d9960, 0) error 19" https://forums.freebsd.org/threads/vesa-wont-load.59462/