Unfortunately you can't port forward across an IPsec tunnel without the destination side sending all traffic over IPsec (0.0.0.0/0 peer or default route with VTI). This is because IPsec doesn't respect reply-to currently. It isn't possible on enc0 and it doesn't function on VTI interfaces. To do what you are after, you could use OpenVPN, or it may work if you proxy the traffic using haproxy, so that the connection is terminated on pfSense A and then A makes a fresh connection to B as a proxy, which could be nudged through IPsec.

@Marv21 No, there are no vlans. The host has two physical NICs.

@fgs said in Yet Another Outbound " NAT " Newbie Topic... I thank you!: The classic problem is, all traffic returning from the servers under "LAN" go out with the same unified "WAN" IP address. That's the default outbound "NAT" behavior. No, that only applies to outbound traffic initiated by your local devices. Response packets on requests from WAN come back from the IP the requests were sent to if your WAN interface is set up correctly.

I am not familiar with Omegle, but maybe it uses the h.323 video conferencing standard in the sticky at the top of this forum?

@DaddyGo thanks for the confirmation. But again, those aren't the real IP (and anyway, forced by my provider), so nothing I can do here.

@ralftar Thank you very much. This works for me!

i gave up on the PIA port forwarding, but still can not forward utorrent using nat rules for in and out in pfsense. Would enabling UPNP fix this problem with utorrent, and would it effect my plex port forwarding which is working fine in pfsense?

@grewterd said in EchoLink: Then they told me I will lose my unlimited data and have to pay $50 extra a month if I used my own modem. What? The fee if you go over their cap is 50 I think. But you understand your paying them X $ a month now for whatever device they gave you..a They only do that cap in certain states, and for the last fee months been completely suspended - to be honest they going to have hard time justifying putting it back.. Other then just a easy money grab.. I was comcast for years, always used my own modem.. Now on wowway - use my own.. They pay for themselves in a like a year tops.. Depending on how much their nonsense rental fee is.. And how much you spend on your modem. But $80 could be seen typical for a modem. At $10 a month rental fee, after month 8 your gravy..

Which version of pfSense is this? Does it happen if you setup a fresh install of pfSense (perhaps in a test VM?)

Well to answer my own Q' It worked , portforwarding 8443 to 443 , and use the WAN ip address as the NAT ip address. As i accessed the "site" via https://x.x.x.x:8443 , i got hit by a: HTTP_REFERER Error (and a RED Screen , leaving me "dead there") , after authenticating on the login page. Luckily i could still access the GUI via L2L VPN , but you might want think about that issue, to not be locked out. I had to add x.x.x.x to System -> Advanced -> Admin access -> Alternate Hostnames As i did not want to disable : Browser HTTP_REFERER enforcement /Bingo

@KrazeyKami how did you get it to work?

I would agree that understanding what is configured and how it works and functions is yeah a big plus in knowing if you should enable whatever or not, and or if you need it or not, etc. ;)

@CyberMinion said in Enabling a second LAN interface - can't connect: I suppose because there wasn't enough IP Exact. If the possible pool size is zero - an /32 implies zero - then pfSense doesn't bother launching a DHCP server on the interface. It wouldn't work anyway. The visual GUI effect is : no GUI 'tab'.

Check your firewall rules and make sure the traffic isn't hitting a rule with a gateway set. If so, make a new rule above it to pass to the VPN destination(s) without a gateway set.

If you translate the source IP in packets to the WAN IP, responses from the destination device are sent back to WAN IP. That's evident. You may try to activate NAT reflection + proxy in the port forwarding rule on WAN to achieve your goal.

I was able to be removed from cgnat at no cost, so went that way :)