@Gig11gs thank you man you saved me!
You are a wondeeful person

@viragomann said in How to access a LAN server over its external domainname from a LAN PC?:

If your LAN devices use an internal DNS server add an override to it.

For instance, on pfSense the DNS resolver is activated by default and devices configured by DHCP automatically use it. So go to Firewall > DNS Resolver and add a host override for blog.test.com with the IP 192.168.0.50.

Thank you @viragomann it works perfectly.

https://docs.netgate.com/pfsense/en/latest/hardware/tuning-and-troubleshooting-network-cards.html#tso-lro

the answer is already there
yes you can and the correct way as suggested by derelic is Firewall <-> Managed Switch <-> Unmanaged Switch on an untagged/access port

@Mynorx As you said, things were working fine, until you changed trunk server ip.
In general, if you have freepbx being registered, this also maintains states and there isn't much to configure. (unless you also need qos, but that's something to take care at a later stage.)
No there is no security issue involved with outbound nat.
Its a good idea to disable freepbx firewall unless you also have internal threats consider.
(freepbx fw is designed to protect the product living on the wild internet.)
At least stop it while you are investigating. Makes life easier.

Since you are having issues with rtp, try portforwading the rtp range configured on freepbx from the internet facing interfacing to your host internal ip
Then go to diagnostics states and type the ip of freepbx and see if you have relevant states. Also use the trunk ip and see what happens.

pfsense works nicely with freepbx in many production environments.

ps do post your rules, there shouldn't be any discrepancies with the ip's you mention.
You are probably doing something wrong...

Maybe your pfSense is listening on the LAN interface port 80 with a rule containing "This firewall" as destination? Check all NAT and firewall rules.

Absolutely dumb: Ubuntu enabled ufw in the background after an update.

Thank you Derelict for your answer.
I confirm your suggestion worked like a charm!

@Gertjan said in FTP issue specific to Pfsense 500:

@eblaster101 : to be clear :
The FTP client - a windows device - is situation on a some LAN network behind a SG-3100.
The FTP server is situated some where on the Internet .
Is the server using passif or actif mode ?
Take note : microsoft windows command line ftp passive mode
Example : I did mange to logging into a FTP server on a dedicated server I own - "some where" on the net. But, as you, after the logging nothing worked.
Then I entered the IP, user and password into my FTP client program : SmartFTP and I could log in, upload, download etc. My FTP server was using the Passif mode.
Btw : I'm using a plain vanilla pfSense 2.4.4-p3. I've NOT installed the FTP Proxy package.

Hi yes everything you said is correct. It works via filezilla or any other ftp client just not windows.
I managed to fix it by installing ftp proxy.

ftp fixed.jpg

I did it this way because I grew weary of configuring ACME on the various servers.

This way I SSL offload and pfSense handles all the ACME for all of the domains.

Yes, the HAproxy to backend comms are in-the-clear but if someone is sniffing that I'm already owned. Bad.

All of my problems are fixed.

I was giving a random IP to pfSense's LAN interface.

Setting LAN interface as Gateway; giving 192.168.10.1 to LAN interface solved everything.

Cheers!

I also think VPN is the way to go (OpenVPN would be my choice), especially if you already have VPN for other staff. Simply configure overrides to restrict your development LAN from general users, and then create Clients for Win, Mac & Linux. Basic users can simply install the clients, wheres more knowledgeable peeps can use the raw config files or package.

I have done exactly this for various customer lab setups that required different access groups for various servers.

I tried to change the mounted CARP WAN IP from /32 to /24 to see if that can fix the issue, but seems cannot.

I am doing 1:1 NAT with both inbound and outbound. And i am not sure if that issue is related to NAT reflecting.

Firewall -> NAT -> Outbound

Disable Outbound NAT rule generation. (No Outbound NAT rules)

@Gilera
Buying more IP’s is not an option for me. I agree though, I do not understand how a cheap supplied WiFi router can give you open NAT on both boxes and play online no issues.
I did notice the second Xbox trying repeatedly to open port apon port trying to connect to COD serves when pfsense was configured to give both boxes Open NAT.
Almost seems like pfsense is not keeping track of the ports and the traffic is not getting thru for the second one.
Also the supplied WiFi router from charter seemed like it was a static port hybrid, where it would static port if it was able to, but then change the destination port if it could not.

In the end, I went with one Xbox open nat( the wife’s) and one strict nat(mine).
The only thing I changed was making mine non static port in the NAT rules.
I can still play games this way but not sure why. It plays like it’s open, but it’s reporting as strict.