Now I'm confused.
You have two guest hosts on esxi, one of them being the pf.
And you have full admin access on the guests.
So you can change the default gw on host1 to point to pf lan on host2.
I suspect these two are on the same bridge or other common interface.

As for the rest of the network, you can route eg all rfc1918 ip space to original default gw and keep everybody at bay.

Perhaps I'm missing something here. Please elaborate.

Maybe there is an rather "easy" solution, NAT Loopback I was told. I run a service on a different machine and try connect to it using the DDNS-Address, where no split-DNS is used. If I can connect, the server should also be reachable from the outside. If I can't connect I am probably on DS-Lite. In my case, client and server are jabber IM, so it is running anyway and that would help me, if this really "works" as intended.

Should be no problem for HAProxy. :-)

-Rico

No, the traffic doesn't get duplicated. It goes by the first match wins.

So if the first rule in your rule set matches, it is applied and subsequent rules are ignored.

You're an idiot or a troll, I don't care. I don't have patience for people like you. Blocked.

At layer 3, you're right. It appears that the print drivers scan the local network at layer 2 looking for the printer, so while I could easily create ACLs (they are actually in place now), the systems on the "inside" network don't find the printer on the guest network. Thanks

@Mellowlynx
To set a single IP in the outbound NAT, you have to select Network, enter the IP and select 32 for the mask.

@klausneil said in CREATE NAT TO SAME PORT ON DIFFERENT SERVERS:

Hi, i need help in a configuration i dont know how make this but the problem is this i have a antispam server (192.168.1.2) your ip public is 190.89.21.11 and have ssh port (22/tcp); also i have a mail server (192.168.1.3) your ip public is 190.89.21.12 and have the same ssh port (22/tcp), what is the rule that can allow conect two different server with the same port or only can change the port of one they

Yes i already did that 👆

wow, sorry I didn't explain. Externally things like my phones & tablets seem to only have an IP6 address. pfSense 2.4.5 is between my internal IP4 network and the world. I guess the first question should have been: can external devices with IP6 only addresses be passed through pfSense to access items on the internal network (ipv4)? If so is there anything special I have to do to set this up. I have found things like in advanced networking like all ip6 traffic will be blocked by the firewall unless this box is checked. I am not sure if the previous NAT entries (that worked with ip4 -> ip4 rules) have to be modified for ip6 -> ip4 or it might be my ISP changing their rules and blocking more than they used to .

Just click the button to show advanced when you are creating the port-forward. Then put in the IP in source.

You have to add all your public IPs as IP alias (Firewall > Virtual IPs).

Then go to Firewall > NAT > Port Forward and add a rule to forward port 443 to your OWA server. The destination is your virtual public IP.
In the rule settings you can select that pfSense adds an assigned firewall rule automatically.

With 1:1 NAT pfSense uses the entered public IP also for outbound connections from the stated internal device and the 1:1 conjunction is applied to any ports. This may be not necessary in this case, but is possible as well. However, using 1:1 NAT you must add firewall rules manually.

Hi, well at final all this it was by my ISP they make a wrong configuration in your cisco modem but well now all is right. Thanks to viragomann

nice 👍

nevermind, this issue is just causing me more headache than its worth given I can get essentially the same functionality by way of pfblockerng, so I'm just going to cut my losses with this confusing issue and go all in on pfsense given it can do everything I need, and my pi-hole server for what ever reason is being slow as heck.

thank you guys for the time. I'm just going to make things easier for me and go all in on my pfsense firewall which I already know works for the task.

@DominikHoffmann Oh, ok. Glad you figured it out.

Jeff

@Bob-Dig Because I wan't something like a static NAT for inside hosts.

For example in this case, I know I could just forward everything to the WAN address of the pfsense., then manage the diferent port NATs to the LAN.

But I come from a cisco enviroment where I had a static NAT for each host, so I'm used to that scenario.