Thank you, I presumed as much but wanted to make sure.

Well.. that's good to know! There have been a few come by with Fritzbox issues that I wonder if this wasn't their issue.. Glad ya got it working.

Found a manual (meaning outside of standard config / package) and hacky workaround, would love to hear of any improvement over that :) Create a user in pfsense's User Manager, enable SSH access for that user with a password-less SSH key login (I'm aware it's risky, extra precautions below). Create a script in the home user dir, show_wan_ip.sh, containing: #!/bin/sh ifconfig mvneta0.4090 | sed -n '/.inet /{s///;s/ .*//;p;}' Edit ~user/.ssh/authorized_keys and add the following before the key: command="/home/user/show_wan_ip.sh",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty This can be executed from the (less trusted) PC that connects to it over LAN: ssh user@10.100.1.1 "/home/user/show_wan_ip.sh" 192.168.1.10

I do have it set up with a second Phase 2. I just thought there could be a better way to achieve the same result without having to go through each of the sites and adding a P2.

Thanks viragomann, How good it is to have an external view. It was the captive portal blocking outbound Thank you very much

@NKOADMIN said in dose pfsense have soft NAT: @NKOADMIN After read the Netgate Docs I think I need to configure the Routing Public IP Addresses instead of NAT. I will give it a try, will post result here. Yes, Routing Public IP Addresses resolve my issue. now we got the correct result in Mxtoolbox Thanks everyone

@Gertjan said in PORT FORWARD NOT WORKING IN AZURE CLOUD SINGLE NIC PFSENSE FIREWEALL: port 22,80 and 443 port 22,80 and 443 not working, bcz I'm Only forwarded port 3389 for testing.

You are 100% correct sir! That was the problem indeed, thanks for pointing that out!

DNS rebinding and protection for it is something else: https://en.wikipedia.org/wiki/DNS_rebinding It sounds to me like you'll need to get your PC resolving the hostname to the LAN IP of the web server. (or the WAN of the pfSense, but you might as well just use the internal IP at that point)

@viragomann I think that's what NAT is on pf, DNAT is rdr (change destination ip and keep source). If I create an outbound rule, the resulting pf rule in /tmp/rules.debug is: nat on $LAN inet proto tcp from LAN_NET/16 to LAN_IP/32 port 22 -> WAN_IP/32 port 1024:65535 Which doesn't work. Interestingly, if I change the mask of the translation address to WAN_IP/24, it works, but the last octet of the public ip will be wrong (it will round robin over that /24 net). It also works if I set the translation IP to any other IP in the WAN_NET except the actual WAN_IP.

Delete 1,,2,3,4,5,6,7,8. There are useless. Normally, on a WAN interface you have no rules at all. Exception : NAT rules .... Rule 9 is part of a NAT rule ? There should be a "from port" as there is a "To port", the 59045. Do not edit the firewall rule, edit the NAT rule. What are you trying to achiueve with these WAN firewall rules ? The NAT rule is for what ?

I figured it out. Initially, the packet below would travel correcly, like so: REQUEST: Client -> Site B WAN -> Site A Webserver RESPONSE: Site A Webserver -> Site B WAN -> Client Occasianally, this would happen: REQUEST: Client -> Site B WAN -> Site A Webserver RESPONSE: Site A Webserver -> Site A WAN -> Lost/dropped packet The packet is going out the wrong WAN, thus getting dropped See diagram: +-----------------+---------------------------------------+-------------------+-----------------+ | Internet | Site A | Site B | Internet | | | | | | | | | | | | | | | | | | | | Packet | | <-----------------------------------------------------------------------------------+ | | | | | | | | | | | | | | | | | | | | | | | | | | | +---+ +---+ | +---+ | +---+ | | | | | | | | | | | | | | | | | +-----+-----+ | | | | +-----+-----+ | | +-----+----+ | | + | | WAN | | | | OPENVPN | | WAN | | | | 1.1.1.1 +---+ +---+ | +---+ 2.2.2.2 +---+ | | | Web pfsense | pfsense | Client | | | Server 10.0.1.0/24 | 10.0.2.0/24 | | | | 10.0.1.100 | | | | | | | | +-----------------+---------------------------------------+-------------------+-----------------+ Site B NAT +-----------+----------+----------------+--------------+---------------+-------------+------------+-------------+-------------------------------------+ | Interface | Protocol | Source Address | Source Ports | Dest. Address | Dest. Ports | NAT IP | NAT Ports | Description | +-----------+----------+----------------+--------------+---------------+-------------+------------+-------------+-------------------------------------+ | WAN | TCP | * | * | WAN address | 443 (HTTPS) | 10.0.1.100 | 443 (HTTPS) | Site B Internet to Site A Webserver | +-----------+----------+----------------+--------------+---------------+-------------+------------+-------------+-------------------------------------+ Site B Outbound (Source) NAT +-----------+--------+-------------+---------------+------------------+-----------------+----------+-------------+-------------+---------+ | Interface | Source | Source Port | Destination | Destination Port | NAT Address | NAT Port | Static Port | Description | Actions | +-----------+--------+-------------+---------------+------------------+-----------------+----------+-------------+-------------+---------+ | OpenVPN | any | * | 10.0.1.100/32 | 443 (HTTPS) | OpenVPN address | 443 | | | | +-----------+--------+-------------+---------------+------------------+-----------------+----------+-------------+-------------+---------+ Site A Firewall Rules OpenVpn Interface (interface not assigned) +--------+----------+--------+------+----------------+------+---------+-------+----------+-------------+---------+ | States | Protocol | Source | Port | Destination | Port | Gateway | Queue | Schedule | Description | Actions | +--------+----------+--------+------+----------------+------+---------+-------+----------+-------------+---------+ | 0 /0 B | IPv4 * | * | * | SITE_A_LAN net | * | * | none | | | | +--------+----------+--------+------+----------------+------+---------+-------+----------+-------------+---------+ The fix was to assign Site A's OpenVPN connection as an interface and create the firewall rule there instead. Also, you no longer need a Source NAT at Site B. The combination of rules to get the packet routing back to Site B's WAN consistently is below: +-----------------+---------------------------------------+-------------------+-----------------+ | Internet | Site A | Site B | Internet | | | | | | | | | | | | | | | | | | | | Packet | | | +--------------------------------------------------------------+ | | | | | | | | | | +------------------------------------------------------------+ | | | | | | | | | | | | | | | | | | +---+ +---+ | +---+ | +---+ | | | | | | | | | | | | | | | | | | | +-----+-----+ | | | | +-----+-----+ | | +-----+----+ | | v + | | WAN | | | | OPENVPN | | WAN | | | | 1.1.1.1 +---+ +---+ | +---+ 2.2.2.2 +---+ | | | Web pfsense | pfsense | Client | | | Server 10.0.1.0/24 | 10.0.2.0/24 | | | | 10.0.1.100 | | | | | | | | +-----------------+---------------------------------------+-------------------+-----------------+ Site B NAT +-----------+----------+----------------+--------------+---------------+-------------+------------+-------------+-------------------------------------+ | Interface | Protocol | Source Address | Source Ports | Dest. Address | Dest. Ports | NAT IP | NAT Ports | Description | +-----------+----------+----------------+--------------+---------------+-------------+------------+-------------+-------------------------------------+ | WAN | TCP | * | * | WAN address | 443 (HTTPS) | 10.0.1.100 | 443 (HTTPS) | Site B Internet to Site A Webserver | +-----------+----------+----------------+--------------+---------------+-------------+------------+-------------+-------------------------------------+ Site A Firewall Rules OpenVpn Interface (assigned interface) +--------+----------+--------+------+----------------+------+---------+-------+----------+-------------+---------+ | States | Protocol | Source | Port | Destination | Port | Gateway | Queue | Schedule | Description | Actions | +--------+----------+--------+------+----------------+------+---------+-------+----------+-------------+---------+ | 0 /0 B | IPv4 * | * | * | SITE_A_LAN net | * | * | none | | | | +--------+----------+--------+------+----------------+------+---------+-------+----------+-------------+---------+