Did you run Manual Outbound NAT before your added the new OPT interface? In manual mode you need to care about the outbound NAT yourself. However, switching to automatic and back to manual will also create the rules for all Interfaces. Personally I like to have Hybrid Outbound NAT. -Rico

Well if your NAS is multihomed and not pointing to pfsense as its default gateway - then yeah going to be a problem connecting to it from a network it has no idea how to get back to.

@edwardnizz said in Plex - Cannot achieve remote access. Not even through port forwarding.: Wow Nice people here.. Indeed. You should readLink Text this.

@red_cat1930 said in Port forward from LAN to WAN with failover: oundrobindns.txt –start-- X.X.X.X anyhost.anydomain Y.Y.Y.Y anyhost.anydomain --end-- 2. add addn-hosts=/roundrobindns.txt to DN One simple way to do it now is just to 1:1 NAT Mappings your WAN to your Failover. So go to Firewall / NAT / 1:1 and add an entry for your Failover interface, with the Failover IP as the External IP and the internal IP being the regular WAN IP Sorry... this is the best SEO for this subject.

@Gertjan When you connect to your FTP server on the same LAN as your device (PC), have this FTP client using Active mode (?). : active mode in LAN just works fine, but can not login through passive mode. second ftp server to accept only LAN connections through 2121 is seems like good idea, let me work on that.

Now I'm confused. You have two guest hosts on esxi, one of them being the pf. And you have full admin access on the guests. So you can change the default gw on host1 to point to pf lan on host2. I suspect these two are on the same bridge or other common interface. As for the rest of the network, you can route eg all rfc1918 ip space to original default gw and keep everybody at bay. Perhaps I'm missing something here. Please elaborate.

Maybe there is an rather "easy" solution, NAT Loopback I was told. I run a service on a different machine and try connect to it using the DDNS-Address, where no split-DNS is used. If I can connect, the server should also be reachable from the outside. If I can't connect I am probably on DS-Lite. In my case, client and server are jabber IM, so it is running anyway and that would help me, if this really "works" as intended.

Should be no problem for HAProxy. :-) -Rico

No, the traffic doesn't get duplicated. It goes by the first match wins. So if the first rule in your rule set matches, it is applied and subsequent rules are ignored.

You're an idiot or a troll, I don't care. I don't have patience for people like you. Blocked.

At layer 3, you're right. It appears that the print drivers scan the local network at layer 2 looking for the printer, so while I could easily create ACLs (they are actually in place now), the systems on the "inside" network don't find the printer on the guest network. Thanks

@Mellowlynx To set a single IP in the outbound NAT, you have to select Network, enter the IP and select 32 for the mask.

@klausneil said in CREATE NAT TO SAME PORT ON DIFFERENT SERVERS: Hi, i need help in a configuration i dont know how make this but the problem is this i have a antispam server (192.168.1.2) your ip public is 190.89.21.11 and have ssh port (22/tcp); also i have a mail server (192.168.1.3) your ip public is 190.89.21.12 and have the same ssh port (22/tcp), what is the rule that can allow conect two different server with the same port or only can change the port of one they Yes i already did that

wow, sorry I didn't explain. Externally things like my phones & tablets seem to only have an IP6 address. pfSense 2.4.5 is between my internal IP4 network and the world. I guess the first question should have been: can external devices with IP6 only addresses be passed through pfSense to access items on the internal network (ipv4)? If so is there anything special I have to do to set this up. I have found things like in advanced networking like all ip6 traffic will be blocked by the firewall unless this box is checked. I am not sure if the previous NAT entries (that worked with ip4 -> ip4 rules) have to be modified for ip6 -> ip4 or it might be my ISP changing their rules and blocking more than they used to .