Hello Derelict,

It is working fine now. I configured some new servers and it works charm.

If it were me I would want to figure out why. The server either pushes redirect-gateway def1 or it doesn't. The client either accepts and acts on it or it doesn't.

The need to use manual push routes has all but been deprecated by the Local Networks setting in the server config itself.

I would take a good, long look at all of the new options that have been added to the GUI config and transition to GUI widgets any custom options that are now implemented as GUI widgets.

@viragomann I understand. Thanks.

I don´t want to make a transparent bridge and won´t use the same network on both sides. So I try to add some static routes on both sides and disable the NAT functionality.

Outbound NAT does not route traffic.

It only determines what NAT happens to traffic flowing out that interface when it is already routed that way.

@jusschwa said in Can I hide/masquerade incoming IP?:

So here is what my routing table looks like on the client:

default gateway is to 10.10.10.82 over eth1 (data interface) 192.168.123.0/24 is over eth0 (management interface) 10.10.10.0/24 is over eth1 (data interface)

What is this client?

If that is its routing table and it is routing any traffic destined for 192.168.123.254 to 10.10.10.82 it is wrong.

Unless there is policy routing or something present outside the routing table you provided there routing that way.

@johnpoz I am supporting a legacy system that custom accesses the files in code to bring down documents. The old language used does not support anything but ftp. I am rewriting it and will look at other solutions. For now, 24 remote office locations and 40 desktops, can't fool around.

I use vsftp. Other FTP server programs will have settings that need to change just like this, you need to find them and set them on the FTP server config.

I fixed it like this:
On a Ubuntu linux server running vsftp
To enable passive mode, set the following configuration options in your vsftp.conf:

pasv_enable=YES
pasv_min_port=30000
pasv_max_port=30099 (Any port range you want to try)
pasv_address=(Fixed Internet facing IP address)

Then open these ports in pfsense to the server under the NAT menu
Port forward 21 to the ftp server
port forward the same range from the settings above to the ftp server
30000 to 30099

@derelict ta, i will have another play. Although i didnt make any changes in the 4G router last time i had it working, although last time it was an Asus router with 4G dongle in. This time its Teltonika 4G router, so things could well be different.

thanks again

Downstream router. 192.168.2.0/24 is behind that.

Screenshots.

@jimp That was it. Had to allow the traffic through the firewall. Thanks for the help, I think this will get me what I need for now.

@derelict said in Configuration of NAT Reflection to access external domain not working:

And the WebGUI http to https redirect is disabled? Port forwards coming into WAN override that but not for NAT-reflected connections.

Split DNS is a more elegant solution to this problem.

If this is what you're talking about, then no. I can change it. Let me know. I don't know that it'll have an impact since I'm only listening on 80 when I'm attempting to renew Let's Encrypt certs.
0_1532552291049_redirect.png

Did you see my second post about my Split DNS configuration? TTS for Google Home doesn't work when it is configured that way.

You can use forwarder mode in unbound as well, they don't have to switch over to forwarder.. I would say that would make sense if he was going to be forwarding to multiple pubic dns since it can query them all at the same time and use the first one to respond. But if he is just going to forward to pihole, then can just use resolver. But he then needs to point his pi-hole to something on the outside.

We got this to work with 2 of these devices on the same property.. If I remember right we made them a static port entry in "outbound NAT"..

But I know I also made inbound firewall rules from the server they connect to, to the LAN address of the devices.

I Can't enter static routes to the Fritz.box for the othler netwoks that thing doesn't allow this.

Will it do multiple "Phase 2" networks or is that what you are saying it does not allow?

The other side will have to be able to do something so the pfSense side will know what network they are trying to make a connection to.

You cannot do IPsec NAT using Outbound NAT. The NAT goes in the IPsec Phase 2 definition.

To get outbound traffic from a server using 1:1 NAT, we use Manual Outbound NAT.

There will be a default mapping for "192.168.1.1/24" which is for any PC on the LAN, with its NAT address set to "WAN Address."

Above that one, add a row for 192.168.1.100/32 with a NAT address of the .42 public IP for this server. This will force outbound traffic, from that server only, to use the .42 address.

Glad to here it's working now.

They way you have it now you will have to connect to the web gui on https://wan.address:9443/ (If you have the proper firewall rules on WAN. I will not belabor the point that it is a bad idea to have that open from any address.)

That will be completely unrelated to any http traffic on any interface on port 80.

If your WAN rules pass traffic source address any source port any dest address 192.168.1.3 dest port 80 (which is the default for a port forward rule if you do not change the rule creation and linking selection at the bottom of the port forward definition), traffic to WAN Address:80 will be forwarded to 192.168.1.3:80.

If that is not working, you need to see why that web server is not answering.

As @johnpoz said, the checklist of things to look at is here:

https://www.netgate.com/docs/pfsense/nat/port-forward-troubleshooting.html

If your GM wants this stuff to work he should:

Get you something instead of some cockamamie double-NAT setup. Insist you use a VPN since it is the correct choice.

Else we will need to see the upstream configuration of the ISP router and probably the port forward that works and the one that doesn't.

PFSense didn't interfere any connection.

How do you know it's pfSense interfering and not something else that's still wrong?