@luzemario I'm new to ampr and would like to setup my router for it. Could I get some assistance on getting my allocation going? Thanks

Best I can do is a picture of the output.

alt text

Having the same gateway on multiple interfaces is likely the problem. It works, sort of, with PPPoE, but it's not a configuration we recommend or technically support, due to issues like this.

Probably the requests are coming in one interface and then it can't figure out which way to send the replies.

The original issue was that I could not get port forwarding to work with my camera NVRs (2 of them), some websites were slow or not loading and could not access my ISP's website and email.

I had port forwarding setup in the wrong order or something. I reinstalled pfsense and redid all of the port forwarding rules after I found a very detailed video that basically explained firewall aliases much better than the pfsense documentation. That made setting up my port forwarding so much easier and took only 5 mins Port forwarding is working as it should and lightning fast compared to before.

As for my ISPs website or email not working, I was not able to access those from within my network on any client, whether it be PC or mobile device. It all worked fine on my asus router before I started using pfsense so I was stumped. My ISP is probably doing some wonky stuff with resolving or whatever. By adding Google's DNS servers has fixed this issue. Nothing else I tried was able to fix it. I would only change one setting at a time, apply and retry. If that did not work, I would revert back and try a different setting.

In short, everything seems to be working on every client both within and outside my network.

Are the VPN endpoints the default gateways in their LANs?

Have you assigned an interface to the OpenVPN instance on both sites?

Your actual box behind pfsense is not talking to 1195, pfsense would be talking to other pfsense on that port to create the tunnel.

Your traffic is then routed down that tunnel.

@derelict said in NAT Reflection with external IP from LAN:

When NAT reflection is used to access a server on the same subnet as the connecting client you will lose the source IP address of the client.

This is because if the server receives a connection from the same subnet it is on, the reply will not go back to the firewall and the firewall TCP state will break.

This is generally considered poor network design.

Using Split DNS will solve this problem without NAT reflection.

Appreciate your reply. I wish asked this question 3 weeks ago when i setup the boxes.

@bruno-rodrigo said in NAT / IPSec - Several sites interconnection puzzle:

One last try... Is this an impossible approach?
Does anyone knows how to solve this?

Hey
what are the phase 2 settings FW3<-> client ?
I'm interested in leftsubnet/rightsubnet
what are the phase 2 settings FW1<-> FW2 ?
I'm interested in leftsubnet/rightsubnet
which default gateway is FW3 ?
10.100.1.3 can ping 10.99.1.1 or any other host 10.99.1.0/24?

@vistatech
Hey
As I said , PF does not always work correctly with GRE over IPSEC.
Try to do so

disable GRE interface reboot Verify that THE IPSec tunnel is established enable the GRE interface
5.verify

OK, that makes sense. Thanks for the quick response.

Ohh looks like I resolved the issue by forcing all traffic through gateway :-)

Your right about the source being only opt1 good catch, I didn't catch that - sorry.

It's possible to use virtual IPs for forwarding, but it's not possible to assign 192.168.1.125 to the client LAN, since that IP is out of the server LANs network.
However, you don't need to assign a virtual IP for what you intent if pfSense is the default gateway in the client LAN.

If so, just add a NAT port forwarding rule to the client LAN for
dest: 192.168.1.125:443
target: 195.78.228.226:443
and it will do the job.

@_neok said in Outgoing NAT'ing from a single IP:

@jimp thanks for reply.
I was able to make it work. There are some tricks to make it work well. Now I have to go. Tomorrow I write how I made it work.
Bye

Gabriel

I had a rule to allow me to navigate my entire LAN through another gateway. I had to make an IP alias of my LAN by taking out the local IP in question. Along with that I set the local IP to go out to the internet through the same gateway over which is the interface that has the VIP associated. That, in combination with the Hybrid Outbound NAT and that's it. I was able to fix it.

Thanks for help
Best regards

Gabriel

Never set Outbound NAT from source any.

Set it to the inside networks that actually need NAT to happen.

I would suggest you start by enabling automatic mode and trying again unless you can state why you need manual outbound NAT.