@SteveITS yes, that is correct and it is written everywhere. The problem is that, 99% of the cases, you cannot reinstall and that was my case :)

@johnpoz STILL WORKING!! Thank you again for all of your help. How can I help your status? I am new to the forums.

Great job, and you also learned port forwarding, ACL ordering, alias creation and much more. I love this forum you can learn so much. Now you just need a OpenVPN configured with a NAS server for private cloud use

@Bob-Dig thanks for your feedback again! Yeah, I think they are assigned properly, unless I'm missing something here and PPPoE actually requires a different assignment. [image: 1719260898527-assigments.png] [image: 1719260903240-gateways.png] Thank you!

@Gertjan Oof, also a typo. The desktop actually ends with 100, not 1. I'll make an edit. That WOULD be a disaster.

@viragomann Thanks for your help.Its work now. In fact its was my openvpn interface that not handle ip address.

Problem 2 fixed by adding route to 192.168.5.0/24 on Mikrotik side

The thing is that even if I can get different addresses for TCP and UDP, it would still only work with 2 connections. Better if I can get the routing solved with 1:1 NAT somehow?

@NogBadTheBad [image: 1717934316221-openvpn-client.png] The local address in the screenshot is the isp router's lan network. The virtual address is 10.100.0.2. I am assuming its a /24 network (10.100.0.1 - 10.100.0.254). If it is then there should be no overlap of network ip ranges.

@muiredised said in NAT - Port Forwarding UI - Port Range not displayed: Blind to something obvious your protocole is set to any, which would not need ports... If you want to use a "port" then set the protocol to a specific protocol that uses ports like tcp or udp. or both.. [image: 1717707135734-ports.jpg]

@asodipo Console Menu Basics Using the PHP Shell

Here is the visual of the configuration with made up Public IPs [image: 1717359824629-2d658bdd-b6ea-48ef-820a-52fb08bec5b8-image.png]

@mcury thank you! solved!

@keyser That did indeed do the trick. It appears I can also get rid of the floating firewall rule to allow dns server access (it's on a different vlan/subnet altogether than everything else). floating rule [image: 1716931715027-b06f548e-af54-43d0-b408-858a6542c147-image.png] Since NAT rules are executed before floating rules, traffic never reaches the above rule. NAT/port forward [image: 1716931788018-d86c23a7-c29d-4496-bf4c-ef7cf1610a50-image.png] This creates firewall rule below for the Local_networks "interface". [image: 1716931967721-d2673b2a-1449-4f90-b079-ba038b5b081a-image.png]

@SteveITS said in NAT 1:1 configuration in HA-CARP mode: For your IP alias I think /32 is wrong: @viragomann said in NAT 1:1 configuration in HA-CARP mode: So there is something wrong with this IP or the CARP VIP, which you should troubleshoot. Check the logs for hints. Hooking up the IP alias on the CARP VIP is necessary for proper failover. If you just set it on the interface it can never failover to the secondary. Thank you both for your help!!! I've set up a new carp just for this type of 1:1 NAT situation and I'm doing a port forward.

@Froginou14 Thankyou for your kind attention to my topic, I tried as per your instructions but issue is still same it is saying dns prob finished no internet access if I pass traffic through squid by typing IP of this firewall in proxy err connection timeout is showing

@jasiu82 Ah yes, on the phone you may be limited to running only one VPN at a time, like on iOS. https://tailscale.com/kb/1105/other-vpns. Otherwise it might be possible to set it up so that tailscale only routes traffic from the apps that want it (roon in this case). I have not looked into this at all, but perhaps this provides some insight into how it can be done: https://www.reddit.com/r/Tailscale/comments/15e9m6m/routing_specific_traffic_through_exit_node/ But on the other hand, the tailscale client on your phone will find your "home IP" by checking with tailscale's servers. And they only know what the subnet router on your home network tells them. So when you say you run "all traffic on NordVPN from the pf4100", how do you achieve that? If you have policy routing that routes any and all traffic on your LAN via your NordVPN tunnel... Then the way it should work is that the Tailscale subnet router will also find it's way out via NordVPN... So even if you only run tailscale on your phone, it should anyway end up inside your NordVPN connection, a tunnel within a tunnel. But even if your phone no longer uses NordVPN, from a privacy standoint I suppose it really doesn't matter since it's you that initiates a point to point connection to your own network. So the fact that it goes to your IP directly doesn't matter since it is fully encrypted and there is no way for anyone to even know what's going on inside... regardless if it's roon or some other server you are accessing inside your network.