take it that 100 is really a 10 and that just a typo ;)

Glad you got it sorted

Well the sniff will prove it too them..

I started this but its long and got distracted with some other people trying to help. A Beloved Freenode user says, I JUST WENT THROUGH ALL THIS. Pfsense does not pass headers with NAT and you have to use haproxy to assist.

The channel went ballistic on pfsense saying that is rather stupid and down right ridiculous pfsense does this and that NAT is layer 3 based and it should pass the packets unaltered.

Guess im watching this whole video. :P

Solved! Since I'm a newbie to pfSense, I made a simple mistake. The 1:1 NAT was fine, but in my manual firewall rule I entered the public IP rather than the DMZ IP. Everything is working now include BINAT. Thanks for your help and patience!

In such a case you should be able to access the 192.168.1.x/24 IP from 192.168.3.x/24 because pfsense would nat your 192.168.3.x traffic to pfsense IP address in 192.168.1

If you do not nat this then yes you would run into a problem. You have to make sure you setup outbound nat on the 192.168.1 interface so that traffic coming from 192.168.3 is natted to the 192.168.1 address of pfsense in that network.

You would also need to make sure your not forcing your lan traffic out your specific wan dhcp gateway (ie your public connection). You need to leave the gateway on your lan as default or put a policy route above it to use your 192.168.1 interface when wanting to go to 192.168.1

Thank you Derelict. The Host Alias feature is doing exactly what I need and want it to. Guess I had missed it when reading through the documentation.

Once you have a tunnel there is no need for 1:1 nat or any nat.. The tunnel is used to route the traffic to get to your network.. The whole POINT to a vpn..

If you were going to create a tunnel - there is zero reason not to encrypt it because its going over the public internet.

So one more oddity in the whole process.

If I reboot, the port forward stops working.

To get it working again, I simply just re-apply the firewall rules with no changes to them and it works again.

Is there a way to capture a before / after that would assist in figuring out why it isn't working on the reboot?

@gertjan said in Cannot port forward: "not a valid redirect target port. It must be a port alias or integer between 1 and 65535":

@freddyh said in Cannot port forward: "not a valid redirect target port. It must be a port alias or integer between 1 and 65535":

The selections made under NAT/Port Forward/Edit; the rest left at pfsense default

Interface: WAN
Protocol: TCP
Destination: WAN
Destination port range: 443
Redirect target IP: 192.168.2.100

Strange, your are omitting the "Redirect target port" field.
It should be

Redirect target port : 443

en then pfSense will accept your NAT rules :

0_1534259842093_dfbacfd7-24b6-425f-a5c5-dfa51fc730d1-image.png

Gertjan

Thanks so much. Problem solved. Its the small things that are overlooked.
Its been a crap day solving problems that I didnt even see that one.

Appreciated!

Also where did you come up with this 200.10.1 ?? That is not rfc1918 space.. Its owned by

inetnum: 200.10.0/22
owner: Administradora BANCHILE de Fondos Mutuos
Country: CL

You do not just pull space out of thin air and try and use it, even if behind a nat.

Your HOME Network should be using rfc1918 space..

When the reply packet was received by the firewall it had no route in the routing table for the destination so it returned Destination Unreachable.

Going to need a much more detailed description of what you have done and what you expect to happen.

Screenshots would probably help.

@sammartin8935 said in I am using pfSense firewall, but...:

to protect you from viruses and other security threats, in the end you will still need a good antivirus and VPN

Needs a VPN why exactly? Sorry but your typical user does not need a vpn..

For whatever funky reason, a reboot fixed this issue. Looks like the allow any any rules were not being loaded correctly.

I stand corrected!😊

~Mat

yeah you should have primate domain setup as well, but you also wan to set your networks as lan as above in my pic.

I would not suggest you disaable rebind protection, but setting specific domain as private is easy
https://www.netgate.com/docs/pfsense/dns/dns-rebinding-protections.html

0_1533545709554_plexdirect.png

0_1533546699532_direct.png

You are probably going to have to post exactly what you want to do.

https://www.netgate.com/docs/pfsense/nat/forwarding-ports-with-pfsense.html

https://www.netgate.com/docs/pfsense/nat/port-forward-troubleshooting.html

You do not need to disable any outbound NAT. If the traffic from the mail server leaves WAN2 (or whatever your failover WAN is called), it will not hit NAT rules on WAN, only NAT rules on WAN2.