Haproxy can receive traffic on the pfsense-wan ip that comes from a internal network just fine (normally at least, maybe if its a ppp interface that could change things.).. Using split-dns tricks isn't needed either.. I do agree that opening the admin page of a consumer NAS to the world-wide-web wouldn't be advisable. (Perhaps if you secure it by using client-certificates it would be okay..) For this purpose listening on a lan-ip with a specific frontend could be nice to have some separation.. As for why it doesn't currently work.. thats pretty much impossible to tell without some more information about what you did and didn't configure.. Perhaps sharing a haproxy.cfg from bottom of settings tab would help us help you..? Or telling something about your network layout / subnets / IPs used for client / pfSense / NAS.

Ok.. Got it. I was assigning DNS entries from my PFSense box which was using NordVPN DNS servers. I plugged in my ISP DNS entries and voila'... All is good now.

Trying Manual Outbound NAT also. I found that rules weren't created so I found out that I didn't have a gateway set, once set the rules populated. [image: 1584717584051-screen-shot-2020-03-20-at-8.19.05-am.png] So now I'm back and can ping out to the WAN gateway but The rule that should disable NAT for source 192.168.1.0 dest 192.168.2.0 doesn't do anything even if I put it on top. [image: 1584717842746-screen-shot-2020-03-20-at-8.23.40-am.png]

No it had not cached dns.. Once you set an override any "cached" records would of been overwritten since the act of creating a host override restarts the dns service.. You were not pointing to pfsense for dns..

I'm an idiot. I'm so used to cisco fw rules that I totally misinterpreted this. I feel Sheeeeepish ;) Thanks man! you truly deserve the thumbs up.

Order priority of NAT rules ? I advise you to use firewall rules to achieve known ordering. See https://docs.netgate.com/pfsense/en/latest/dns/redirecting-all-dns-requests-to-pfsense.html and https://docs.netgate.com/pfsense/en/latest/dns/blocking-dns-queries-to-external-resolvers.html

@g146m026 no worries. I'm getting a bit further now. I got packet capture from the WAN side and I can see some 443 traffic trying to hit 8123 but getting dropped. [image: 1584570748132-2020-03-18_2318-resized.png]

I would prob look to doing a packet capture of the traffic to see where your having a problem as a good place to start.

@bbirdwell said in Connecting to printer across vlans: Its awful annoying to have to jump on my home wifi every time I have to print something. Ypu want to make your printer available to a (your) device on the Internet ? The first part of your question : VLAN are the same thing as LAN's here. Example, you have a LAN interface setup like the default 192.168.1.1/24 - a printer having, say, 192.168.1.10 on this LAN. When you connect to another LAN, like 192.168.2.1/24 - you could use the IP of the printer - 192.168.1.10 and print just fine. Jo just use your router as a ..... router. If you have firewall rules on your second 192.168.2.1/24 interface that block access to the first LAN, 192.168.1.1/24, you have to place a "PASS" firewall rule on 192.168.2.1/24 interface. Now your are using your router as a router, and firewall ^^ Note : the second LAN on any pfSense has no rules, thus it blocks everything initially. You have to add some rules to make it useful. [image: 1584440750681-931bb871-967d-4968-87a2-88ea4f61dece-image.png] The printer alias is the list with IP's of all my printers on the LAN interface. With this rule on my (captive) PORTAL interface, my captive portals visitors can print on my printers. Note : my visitors don't no sh*t about my printers, neither the IP nor network names, but the Avahi packages, and the DHCP registration into the DNS, makes devices that are capable to printer to find them, list their capabilities, and print.

It worked with NAT Reflection. Thanks

@viragomann yes, that is what that rule is doing on the sonicwall, s-nat and d-nat on the same rule while also matching a port/service. as you suggested the way to do that on pfsense is to use both port forward and outbound nat to achieve the same. the thing is: there's hundreds of those rules, and they will need to be maintained in the future, effectively doubling each sonicwall rule while migrating them to pfsense will make maintenance much harder. My IT manager suggested looking at using 1:1 NAT rules and dealing with service/port matching in a different ways, maybe something can be done to effectively do that using firewall rules or policy routing. I'm in the process of exploring those options on a test deployment in our lab, any suggestion towards that would be greatly appreciated.

And you also need to do this for all domains hosted on local mail servers. And also manage this and external dns changes as needed.

i resolv my problem now i face auther issue

Not sure if this will still help you or not. I found myself troubleshooting the same issue with Mullvad Port Forwarding and came across your post. I eventually overcame this problem by leaving the route pulling options unchecked and allowing the Mullvad routes into my routing table and using using "policy based forwarding" on my to direct traffic on my LAN interface. You can create (or use the existing) firewall rule that allows traffic out of the LAN to the WAN. On this rule use the advanced options drop-down to specify the gateway on your primary WAN interface. This is not an ideal workaround as the default route for the firewall is still set to use Mullvad and this can have some unintended consequences, but it will allow you to use port forwarding on your VPN client. Hope this helps. I'd be interested to know if you ever came up with a solution of your own.