@samax2207 capture your SIP traffic and analyze it

RTFM: https://docs.netgate.com/pfsense/en/latest/nat/accessing-port-forwards-from-local-networks.html#method-2-split-dns

What?

Post screenshots of all of this please.

@rosenstand
Hi have you got this sorted out?

or does anyone else have a fix for this :)

Hello Derelict,

Your advice has worked very well.

Thanks

gosh found the problem for that :)
i used the wrong gateway, so changing Dest. Address to VLAN10 address did it for me
thank you very much

ps can't edit the post above due spam detection 😌

Put the IP Alias VIP on LAN.

Put a port forward on LAN forwarding connections to the VIP:443 to the Web Server:443.

That will override the connection to the WebGUI. You will still get the web gui on the LAN address:443

@jimp Thank you very much for the fast repsonse. SOLVED

Thank you kind sir.
I appreciate the advice.
B

I downloaded a different VPN client after spending far too long trying to solve this and it seems to be working fine. It is just bad timing that it started happening with the change in firewall, a spurious correlation. Everything was configured correctly and happening on multiple machines and different users.

Okay made the change to the 'dest'. Thanks for the help fellas..

@wurstsemmel said in Fort Forwarding SMTP - One wan works the other does not:

Sorry for reposting. If I set the corresponding gateway in the wan interface configuration, everything works as expected. I am confused, as the guides for CARP clearly state NOT to do this.

I'm not sure where you read that, but the HA guides don't say not to use gateways on WAN interfaces. Perhaps you misunderstood some other HA point.

All WAN-type interfaces should have a gateway selected on their interface configuration.

@periko said in nat for 2 email servers with just 1 wan?:

Is possible to NAT traffic for both servers using the same email ports 465/993 on each one?

These are ports to deposit mail for sending (smtps) and consulting mails on a mailbox/server imaps (993).

These two ports are probably used by fat-mail-clients like Outlook or Thunderbird.
Take the more intelligent (smaller ?) user (== domain ?) group of your 2 mail servers, and say to these guys : "Hey, guys, if you see somewhere that mentions port '993', change it for 994' - idem for 465, make that 466."
Now you can NAT easily on your side.

Most people don't care less what they have to choose, they only setup a mail clients ones, and will redo it when their computer breaks down after X years. They don't know why its "465" or "993" anyway.

Note : this won't work if it concerns port 80 or 443 .... people don't know that they use these ports several times a day

No problem, I go by either. 😉

If traffic from Squid is leaving by a different interface either Squid is set to run on that IP directly or clients not using Squid are not using the default gateway for some reason.
We would need to see your routing table, gateway setup and LAN side firewall rule to know more.

Steve

There almost certainly is never going to be an FTP ALG added to pfSense.

pfSense is a security product.

FTP is insecure and outdated and the general consensus is that nobody should be using it in production any more.

If a security layer WAS added, as in FTP/S, then an ALG would be useless because it could neither see nor manipulate the inside of the protocol.

SFTP works, is secure, and doesn't require any of this nonsense.

Yes or
10/8
172.16/12
192.168/16

...I just wanted to post a bit more "human readable". ;-)

-Rico

ok, thanks. next time it happens I'll try restarting the web service on the server to see if that's where the problem lies. I'll report back.