You can't just use any public IP in private networks without getting into trouble.
There are 17.89 million addresses reserved as private, so why the F you use public space?

-Rico

@theRealPhoenix said in Issues reaching devices on my network (NAT Suspected):

ping from 172.16.100.8 -> 172.16.100.10

If this is on the same subnet.. IE. not a couple of /29 or something then they are behind the same router interface.

If they are on the same subnet then the traffic from one of those to the other never touches the router. That's handled as a switch function. Your router only sees traffic it needs to pass from one interface to another.

If traffic meant for an address outside of the subnet then the traffic is directed by the switch towards the "gateway" address for the gateway device (in this case your pfsense box) to pass through it for another interface.

If traffic is meant for another address inside the subnet then the traffic is directed to the other device by the switch. The switch will not send the traffic to an interface it is not meant for. That includes your router.

:)

Oh crap, I found out what it was:

Do NOT disable the firewall under System>Advanced>Firewall

@stijnroaer said in Public ip for mac address:

they hand out a 10.x.x.x address

Well you can not get to the at from public internet - it doesn't route on the public internet.. There is no way to get to a 10 address over the internet..

If you now what the ip is, you could prob get to it via vpn to pfsense, put a vip on pfsense wan that is on the 10.whatever/network and talk to it that way.

@McMeanF
what you are hosting on host03!?
if it's IIS you can just redirect port 80 or 443 to 10443.
if it's Linux based i think you can also do that.
i think you need to do port redirect on the host03 rather than on pfsense it self.
i already have IIS that redirect port 80 to 443. so i think you should be able to do it on the host03 level.
so then for your HAproxy you need to forward to 80,443 rather than 10443 and let the host handle the redirect to 10443.
so port 10443 should be open on pfsense which it is if you able to connect to host03 from outside.
this would solve your problem if host03 able to redirect from 443 to 10443.

It is very possible that a client device would prefer IPv4 over IPv6 if all it has is a ULA address and the destination is GUA (or even outside the ULA /48).

If there is a setting to behave differently, it would be a setting in the client's stack configuration.

Needless to say Advanced->Networking "prefer IPv4 to IPv6" is not checked.

That is for connections from the firewall itself, not connections through the firewall. The firewall cannot tell the client which to use. It makes a decision based on the status of its network stack. A setting such as that on the client is what I was talking about up there.

@automate

If you've removed the source alias from both, your NAT and corresponding rule look OK to me.

There was a problem with the LB2120 in bridge mode

Are you on the latest LB2120 firmware?

@johnpoz yes I have made it passiv too and portforwarded. I must use it because my hosting provider only supports FTPs and that's why. Normally I using sftp but here it still behinde. Hope one day it fixing this.

And what is in that alias? It must only contain one entry, an IP address. Do the contents of the table show up under Diag > Tables?

Does it work if you remove the alias and put the IP address in directly?

The rules have no matches, so there must not be any traffic arriving which matches.

Mmm, the only reason you would ever not see that traffic NAT'd when the NAT rule is present and correct is if it cannot create the NAT state due to one already existing.
I suspect a state is synced from fw1 somehow and it prevents the correct state being re-created. If there are no replies to the pings that doesn't happen so you see the outbound ping requests all NAT'd correctly.
You might be able to prevent that happening with stateless rules for example.... but you need the NAT state synced to fw1 in order for it to send the replies back to fw2. You might be able to use a port forward for that maybe.

All pretty ugly! And you would need to replicate whatever you put in place so that fw has connectivity when fw2 is master.

Steve

Create a special rule ("allow any to any") named "temporary firewall disabled" on each interface is a good idea. I don't have think about.

I don't have read the hints because I'd like to make the contrary (no rules with nat).

Thanks for all.

I'll test as soon as possible.

You may have still access to the internet over the gateway and to the public IP of the gateway but not to the internal address of it (WAN net) with that.
If you want to block any traffic from LAN disable the default allow any rule on LAN interface, but ensure that you keep access to the WebGUI (Anti-Lockout rule).

@user7364 said in Disable WAN Network reachability from LAN:

When i disable the LAN > WAN Rules (auto created) under Firewall > NAT > Outbound everything seems to work. But i do not know if i need the rules for something.

That's the NAT rule translating the source IP of outgoing packets to the WAN address. If you don't need internet access you may disable this.

Success! Got it working, with the PFSense / HAProxy in the middle.
The trick is to enable SSL Offloading on HAProxy and importing the required certificates.

Disclaimer: SSL Offloading is NOT supported for AD FS; Only use this in your lab, not in production environments:
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-faq#x-ms-forwarded-client-ip-does-not-contain-the-ip-of-the-client-but-contains-ip-of-the-firewall-in-front-of-the-proxy-where-can-i-get-the-right-ip-of-the-client

This thread can be closed.

Kami.

You would set up a virtual address.

https://docs.netgate.com/pfsense/en/latest/firewall/virtual-ip-address-feature-comparison.html?highlight=virtual

Then either port forward or use 1:1 NAT to the second address. Plus some WAN firewall rules to let the traffic pass.

Your not understanding how it works.. Is what the problem is!!

Your rules allow anything on the lan to go anywhere outside the lan... Which wan interface you use is via gateway group you setup..

wangroup.png

So you have this...

outbound.png

If you don't want 10.0.0.22 to use wan 1, then you have to setup a rule on lan to only send it out wan2 - not your group.. If you allow traffic out from wan1 from the client - then YES the answer will come back via that interface..

answer.png

You could do say this if you only want that .22 box to use wan 2

somethinglikethis.png

Rules are evaluated as traffic enters an interface from the network its attached too... First rule to trigger wins, no other rules are evaluated.. So your rule says hey anything on the lan - go out this gateway group which includes both 1 and 2.. So yeah that is what is going to happen!! And then yes the answers will come back through wan interface it left on.

If you don't want specific client to use the group, then force it out a different one... Keep in mind you need to make sure what happens wan 2 is down - then it could still go out the group and therefore wan1.. Depending on what you tell pfsense to do with the rules when gateway is down, etc.

@systemadmin said in Not able Access OPT1 through NAT:

OPT1(192.168.55.26) is a Having DHCP IP which getting a IP from another Sonicwall Firewall.
We want to give a NAT Access to the Machine which is having IP from Sonicwall firewall.

That is reading like the devices on the OPT1 network are using the Sonicwall as default gateway. So you will get an asymmetric routing issue unless you configure the devices to use pfSense or do NAT on outbound packets on OPT1 or route the traffic meant to that devices over the Sonicwall.

@systemadmin said in Not able Access OPT1 through NAT:

Please find Packet capture for not working NAT rule:

Can't find any IP address in the capture, so it says nothing about NAT.
🙄

@KOM Entiendo, muchas gracias