That is very astute of you and is the exact problem! I installed nginx on the internal webserver and started that instead. Flawless port forward after!

The problem is in my apache config that I forgot to go back and clean up when I mas tinkering.

Thank you very much, ndemou!

I've had that happen numerous times and finally found this post. Identical log messages (apart from other IPs).  Can't figure out why DHCPDISCOVER is not sent to 255.255.255.255 anymore but to a fix IP that is not routable.

Yes, my ISP goes down more than what I like but not being able to recover leaves me standing without connectivity until I save my WAN IF settings and reload.

Anyone?

Per your drawing that 172.20.1/24 is clearly a TRANSIT network…

Apologies for the really late reply.
Everything seems to work now as intended.
I was able to configure it properly with CARP and its smooth. Only thing is I was only able to get it working with manual NAT not hybrid.
As always, thank you for your support.

and do not connect, do you have any other ideas?

Did you reconfigure IIS so that it thinks its using your public address and not its LAN address like I said?  For example, when I used to use vsftpd, you had to configure passive like this:

pasv_enable=YES pasv_min_port=50000 pasv_max_port=50100 pasv_address=a.b.c.d

where 50000-50100 is your passive range and a.b.c.d is your WAN IP address.

No, definitely not bonded with the modems. At their end they have proprietary routers that just send IP packets down both lines, balancing them based on the sync speed of the lines.

They will happily sell you a similar router, to connect to two VDSL/PPPOE modems. I'm just trying to avoid spending the $700 they ask for their router (and I'd have rather have used pfSense if it was an option).

They are a very unusual ISP ;)

You can actually achieve much of what I want with three basic consumer routers. Use two with their own VDSL ports to route from the lines (both using the same WAN address), with a third router behind them doing the firewalling and NAT (with one of the other routers set as its default gateway). That doesn't get you upstream bonding though.

Anyway, thanks for your input, clearly pfSense can't meet my admittedly unusual requirements and it is time to try another route (dd-wrt if I can, if not my own Ubuntu build, failing that $700 router from ISP).

And the firewall logs will not include passed traffic unless you explicitly tell that pass rule to log.

You need to be looking exclusively at packet captures, pretty much.

thank you

would need more details to be able to make a determination. Glad it's fixed.

Exhaustive list of other things to check here.

When it works from the same subnet but not from others it is almost always either the local firewall on the target or the default gateway of the target is wrong.

https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

You should not have to do anything to use any cell booster behind pfSense in its default configuration. If you have messed about with the default outbound NAT static port on port 500 or something, maybe you might have to undo that.

They generally initiate an OUTBOUND IPsec connection to the cell provider. Nothing should be required on the firewall. No special rules, no special port forwards, etc.

They generally require a good GPS signal and can take a LONG TIME to sync up.

The best we can try to do if it is not working is interpret the specific instructions or guidance they provided. You would need to post that.

Port mapping rule for UDP/4500 on WAN interface -> 10.42.0.2:UDP/4500

You do not need this for an outbound connection.

Manual outbound NAT configured - only a rule for * -> WAN address configured for the 10.42.0.0/30 subnet

Why manual? Automatic will capture that.

Currently an additional rule for UDP/any going to WAN interface

Zero idea what that means. Post the rule.

I realize those were posted a while ago by someone else but you stated you did the same thing.

thanks for the answer,i solved the problem . it was a nat on the xivo who caused that,now all work fine :)

@NogBadTheBad:

Create a vpn connection, its more secure than opening up RDP to the world.

Think you may need to change it to tcp/udp, I'm not a Windows guy.

https://en.wikipedia.org/wiki/Remote_Desktop_Protocol

Agree with VPN, but at the very very least use a different External port forwarded to 3389 internal, also do UDP/TCP, UDP is used when available and faster, though shouldn't be required.

The portforward looks correct.

Do you have only a single WAN IP? Do you have anything special for Outbound NAT? Does pfSense have the WAN IP direct on its WAN interface?

Hi!

What would happend if I added the external IP to the interface as an secondary IP?

trying a test while users are away for the weekend ;-)

I assume I would have to use a 1:1 SNAT ?

Trying to get a ping to work from the pfsense to the OPT1 LAN via a mapped IP.

The server in the OPT1-LAN has 192.168.5.15

I want to map it to 192.168.187.15 in the LAN.

Trying the 1:1 rule on various interfaces but I don't get a ping back.

What do I misunderstand here?