The thing is that even if I can get different addresses for TCP and UDP, it would still only work with 2 connections. Better if I can get the routing solved with 1:1 NAT somehow?

@NogBadTheBad

OpenVPN Client.PNG

The local address in the screenshot is the isp router's lan network.
The virtual address is 10.100.0.2. I am assuming its a /24 network (10.100.0.1 - 10.100.0.254). If it is then there should be no overlap of network ip ranges.

@muiredised said in NAT - Port Forwarding UI - Port Range not displayed:

Blind to something obvious

your protocole is set to any, which would not need ports... If you want to use a "port" then set the protocol to a specific protocol that uses ports like tcp or udp. or both..

ports.jpg

@asodipo
Console Menu Basics
Using the PHP Shell

Here is the visual of the configuration with made up Public IPs

2d658bdd-b6ea-48ef-820a-52fb08bec5b8-image.png

@mcury thank you! solved!

@keyser That did indeed do the trick.

It appears I can also get rid of the floating firewall rule to allow dns server access (it's on a different vlan/subnet altogether than everything else).

floating rule
b06f548e-af54-43d0-b408-858a6542c147-image.png

Since NAT rules are executed before floating rules, traffic never reaches the above rule.

NAT/port forward
d86c23a7-c29d-4496-bf4c-ef7cf1610a50-image.png

This creates firewall rule below for the Local_networks "interface".
d2673b2a-1449-4f90-b079-ba038b5b081a-image.png

@SteveITS said in NAT 1:1 configuration in HA-CARP mode:

For your IP alias I think /32 is wrong:

@viragomann said in NAT 1:1 configuration in HA-CARP mode:

So there is something wrong with this IP or the CARP VIP, which you should troubleshoot.
Check the logs for hints.

Hooking up the IP alias on the CARP VIP is necessary for proper failover. If you just set it on the interface it can never failover to the secondary.

Thank you both for your help!!!

I've set up a new carp just for this type of 1:1 NAT situation and I'm doing a port forward.

@Froginou14
Thankyou for your kind attention to my topic, I tried as per your instructions but issue is still same it is saying dns prob finished no internet access
if I pass traffic through squid by typing IP of this firewall in proxy err connection timeout is showing

@jasiu82 Ah yes, on the phone you may be limited to running only one VPN at a time, like on iOS. https://tailscale.com/kb/1105/other-vpns.

Otherwise it might be possible to set it up so that tailscale only routes traffic from the apps that want it (roon in this case). I have not looked into this at all, but perhaps this provides some insight into how it can be done: https://www.reddit.com/r/Tailscale/comments/15e9m6m/routing_specific_traffic_through_exit_node/

But on the other hand, the tailscale client on your phone will find your "home IP" by checking with tailscale's servers. And they only know what the subnet router on your home network tells them. So when you say you run "all traffic on NordVPN from the pf4100", how do you achieve that?

If you have policy routing that routes any and all traffic on your LAN via your NordVPN tunnel... Then the way it should work is that the Tailscale subnet router will also find it's way out via NordVPN...
So even if you only run tailscale on your phone, it should anyway end up inside your NordVPN connection, a tunnel within a tunnel.

But even if your phone no longer uses NordVPN, from a privacy standoint I suppose it really doesn't matter since it's you that initiates a point to point connection to your own network. So the fact that it goes to your IP directly doesn't matter since it is fully encrypted and there is no way for anyone to even know what's going on inside... regardless if it's roon or some other server you are accessing inside your network.

@tomsawyer2k5 other than maybe setup a new machine with the software.. I would assume it should have the details to login built in, or ask the user for the info, like their username and password, etc..

For all we know the machine that was not working, they put in some bad info when it asked them.. Typo'd IP or fqdn they were suppose to put into the config on setup, or username/password, etc.

@Jarhead

i limit both internet access and inter vlan communication.
I think the complete ruleset would be a bit much :)
In principle, there are rules that, for example, allow all devices in the home VLAN to access destinations on the Internet via HTTP/HTTPS, but there are also rules that allow all devices in the home VLAN to access services in the other VLANs. For example, all devices may contact the NTP server in VLAN X on UDP 123. However, I now have to maintain the same rules for the Wireguard VLAN, as these are virtually the same for me as if they were devices from the home VLAN. So now I also have to create a rule that allows all devices from the Wireguard VLAN to access destinations on the Internet via HTTP/HTTPS or the rule that they are allowed to access the NTP service in VLAN X.

That's what I mean by ruleset copy. If I now create a new rule for the home VLAN, e.g. that they are allowed to access a DNS in VLAN Y, then I must also create this rule for the Wireguard VLAN. This is a bit tedious. It would be better if I only had to create a rule for the home VLAN and didn't have to worry about creating the same rule for the wireguard VLAN.

I don't see how aliases could help me in this case.

Maybe i have to mention that all subnets are on different physical interfaces. So basicly each subnet/vlan has its own physical network interface.

@adude42069 Don't confuse random, ephemeral source ports (which is the scope here with the random port translations in outbound NAT) with destination ports on which services are listening for connections (Which is the scope of IANA registration).

@johnpoz Thanks for the reply. The metro interface address at building A is 192.168.0.252. Building A WAN address is the ISP address, building B WAN is 192.168.1.252, the gateway IP assigned to the metro at that location.

I know the setup isn't correct. I should have the firewall address as the gateway with a route to other networks setup such that all traffic not seeking another network, just goes out the WAN address and when traffic is seeking an internal network, it gets properly routed. However, when I do that, it doesn't work. I think it's because I have yet another pfsense firewall at another location with it's own ISP/WAN. Dual WAN's from a single exit point are easy, but I haven't figured out how to make it work reliably if one ISP goes down to send traffic out of another networks WAN. For now, it "works", I'm trying to see if I can solve this one issue and clean up the rest down the road.

Thanks.

@Gertjan It was standard sutiations, ISP support didn't understood pfsense so they told me that i must make port forward like on ptlink 😭 but issue was that they forgotten disable firewall on router. Since it was on bridge mode but firewall blocked input.

@scapino

So you have network 192.168.2, and a network 192.168.0 on pfsense.. There is nothing to do, pfsense auto connects networks it directly attached too.

If you want some client on network A to talk to network B that are both attached to pfsense, you would need your firewall rules to allow for it. You would have to bypass any policy routing you might be doing that shoves traffic out a gateway or vpn. And the destination IP would have to be using pfsense as their gateway, and their host firewall would have to allow the traffic from this other network.

I definitely haven't ever had issues registering Yealinks phones, we aren't using FreePBX though, I think maybe change the post title to be about 3CX? Doesn't sound like a Yealink specific issue to me.

As for why it worked on the Sonicwall, this is one of the reasons I don't like sonicwall and most other "enterprise" firewalls, they do too much for you "automagically" so then when things don't work it's hard to know why; since we can't always know why it worked in the first place lol.

Anyway, anti-Sonicwall rant over.

So some devices register fine, do they make calls OK or just register? Same subnet and all that I presume?

If you do a pcap, can you see the Yealinks trying to reach out on 5060 and just not getting a response?