@maverickws said in IPv6 over IPv4 Tunneling:

You don't need to configure NAT for this.

The rule you need is a Pass on the WAN interface (Firewall > Rules > WAN), I believe allow any to any or any to host and on protocol (not address family) you select IPv6 I think that's it.

Yes, I did that. Protocol IPv4 IPV6 Source any Destination (tried any or my VM IP) and this rule does match the state that is created when I ping out. But still after it times out incoming connections are dropped and don't show up in firewall logs. So it's inbound NAT that isn't working and I suspect it has to do with that error I'm getting in the original post.

Thanks @Nitrobeast - really appreciate the help!

Finally i solve it myself using this link https://docs.netgate.com/pfsense/en/latest/interfaces/using-public-ip-addresses-on-an-interface.html

The idea is to not ANT second /subnet as it s already an Public IP subnet.

Hey,
Thanks for the detailed video, I have followed the steps and used the template provided in HAproxy to send traffic to same backend server using host names in the ACL, however when I hit the first site for example site1.com, its working fine, but when I hit site2.com, its not working, any idea why this config is not working

https://docs.netgate.com/pfsense/en/latest/nat/accessing-port-forwards-from-local-networks.html

-Rico

No. Port forwards need to be configured on each incoming WAN interface.

@KOM Total mess today but hey, now it rly works because I did configure static ones on the servers.

I was going to next suggest that you packet capture on both WAN and LAN to see if the packets are hitting and where they're going but you figured it out. Glad to hear you've got it sort of working. You want your modem in bridged mode so that it acts like a dumb pipe without any firewalling or NATing. If that isn't possible then you're stuck with double-NAT where you forward ports on both your modem and pfSense. Blech.

pfSense does not use static source ports by default due to a security risk that allows attackers to potentially use that to intercept data. I don't remember all the specifics as it was long ago tat I read that (assuming Im even remembering it correctly.)

For your gaming purposes, there is nothing wrong security-wise with adding an outbound NAT rule to make traffic from your console use static ports.

thumbnail_20190617_122334_Burst01-1.jpg

@cdegroat82 Well, this is not something pf related.
The combination of pf vlans, esxi vlans switced based vlans and l3 routng at switches can become quickly overly complicated and its easy to overlook something.
Hope the rebuild has solved it :)

This has been gone over like a 100+ times... You do not need to forward 20, ever!!! You need to forward the passive ports your going to use, and you need to make sure your ftp server hands out your actual public IP vs its rfc1918 address.

But again as rico says ftp BAD! ;) Use sftp and now you don't have to worry about any of the active passive stuff on the data channel.

By default pfSense translates source addresses of responses back to the external address the request was addressed to when the packets go out.
Can you provide more details?

good news, you are welcome, I'm glad I was helpful

@Rico
port 53 is required for DNS on a CONTROL PANEL! for host.

also
the second server machine is hosting DDNS that also require DNS with default port "53"

What im asking: IS there a way to route port "53 DNS" to pfsense and then from pfsense to machine 1/2 ?

You have to use Phase 2 entries with BINAT. You can make one phase 2 entry per mapping if you must do them individually.

I will do an upgrade for this FW ASAP, but as it is a production, I can't do that as quick as I want.

Confirmed issue with ISP provider, their mystery device is in fact a router and has its own port-forwarding rules. I had misconfigured pfSense to the wrong IP on the mystery boxes' network, issue resolved after configuring pfsense correctly :-)