The only thing I want to do is access pfsense homepage remotely by using dynamic dns. Nothing else. Please tell me what specifics you mean

IS this a bug?

Probably not. Countless people do the same thing.

You'll probably have to give a more-specific example including screen shots, contents of the Alias/table (Diagnostics > Tables) before and after the new address addition, the port forward, firewall rule, etc.

NAT : https://www.netgate.com/docs/pfsense/nat/forwarding-ports-with-pfsense.html
DNS : Start here https://www.netgate.com/docs/pfsense/dns/unbound-dns-resolver.html

You can for sure limit the source to your actual source out on the internet to get to this host your sending the nat too.. But if your putting in your actual wan IP, then as Derelict has stated - that is never going to work.

@napsterbater Thanks napsterbater. I was just trying to RDP/3389 as my first step to testing port forwarding on the pfsense router before adding any other ports but I didn't know that at&t was so sh***y to the point where they would block a passthrough/supposed DMZ'ed IP address to allow all items to that one address, but I should have known better. I wish another ISP was available in my location, i would leave them with the quickness. But to have to add port forwarding in my pfsense and then port forwarding in the Uverse gateway, is ludicrous and makes no sense for a DMZ'ed address. Thanks again fro the suggestion and I appreciate you alls time and help on this!

@shadowsong said in Force internal ip to connect to local service externally:

I connect directly to IP:Port, so DNS is not possible.

I never really understand such an answer - are you saying this IP and port are HARD CODED? That is borked!

Or that you just have not setup a fqdn to resolve.. Do you not have access to the dns server your clients talk to?

take it that 100 is really a 10 and that just a typo ;)

Glad you got it sorted

Well the sniff will prove it too them..

I started this but its long and got distracted with some other people trying to help. A Beloved Freenode user says, I JUST WENT THROUGH ALL THIS. Pfsense does not pass headers with NAT and you have to use haproxy to assist.

The channel went ballistic on pfsense saying that is rather stupid and down right ridiculous pfsense does this and that NAT is layer 3 based and it should pass the packets unaltered.

Guess im watching this whole video. :P

Solved! Since I'm a newbie to pfSense, I made a simple mistake. The 1:1 NAT was fine, but in my manual firewall rule I entered the public IP rather than the DMZ IP. Everything is working now include BINAT. Thanks for your help and patience!

In such a case you should be able to access the 192.168.1.x/24 IP from 192.168.3.x/24 because pfsense would nat your 192.168.3.x traffic to pfsense IP address in 192.168.1

If you do not nat this then yes you would run into a problem. You have to make sure you setup outbound nat on the 192.168.1 interface so that traffic coming from 192.168.3 is natted to the 192.168.1 address of pfsense in that network.

You would also need to make sure your not forcing your lan traffic out your specific wan dhcp gateway (ie your public connection). You need to leave the gateway on your lan as default or put a policy route above it to use your 192.168.1 interface when wanting to go to 192.168.1

Thank you Derelict. The Host Alias feature is doing exactly what I need and want it to. Guess I had missed it when reading through the documentation.

Once you have a tunnel there is no need for 1:1 nat or any nat.. The tunnel is used to route the traffic to get to your network.. The whole POINT to a vpn..

If you were going to create a tunnel - there is zero reason not to encrypt it because its going over the public internet.

So one more oddity in the whole process.

If I reboot, the port forward stops working.

To get it working again, I simply just re-apply the firewall rules with no changes to them and it works again.

Is there a way to capture a before / after that would assist in figuring out why it isn't working on the reboot?

@gertjan said in Cannot port forward: "not a valid redirect target port. It must be a port alias or integer between 1 and 65535":

@freddyh said in Cannot port forward: "not a valid redirect target port. It must be a port alias or integer between 1 and 65535":

The selections made under NAT/Port Forward/Edit; the rest left at pfsense default

Interface: WAN
Protocol: TCP
Destination: WAN
Destination port range: 443
Redirect target IP: 192.168.2.100

Strange, your are omitting the "Redirect target port" field.
It should be

Redirect target port : 443

en then pfSense will accept your NAT rules :

0_1534259842093_dfbacfd7-24b6-425f-a5c5-dfa51fc730d1-image.png

Gertjan

Thanks so much. Problem solved. Its the small things that are overlooked.
Its been a crap day solving problems that I didnt even see that one.

Appreciated!

Also where did you come up with this 200.10.1 ?? That is not rfc1918 space.. Its owned by

inetnum: 200.10.0/22
owner: Administradora BANCHILE de Fondos Mutuos
Country: CL

You do not just pull space out of thin air and try and use it, even if behind a nat.

Your HOME Network should be using rfc1918 space..

When the reply packet was received by the firewall it had no route in the routing table for the destination so it returned Destination Unreachable.

Going to need a much more detailed description of what you have done and what you expect to happen.

Screenshots would probably help.