Here is the visual of the configuration with made up Public IPs [image: 1717359824629-2d658bdd-b6ea-48ef-820a-52fb08bec5b8-image.png]

@mcury thank you! solved!

@keyser That did indeed do the trick. It appears I can also get rid of the floating firewall rule to allow dns server access (it's on a different vlan/subnet altogether than everything else). floating rule [image: 1716931715027-b06f548e-af54-43d0-b408-858a6542c147-image.png] Since NAT rules are executed before floating rules, traffic never reaches the above rule. NAT/port forward [image: 1716931788018-d86c23a7-c29d-4496-bf4c-ef7cf1610a50-image.png] This creates firewall rule below for the Local_networks "interface". [image: 1716931967721-d2673b2a-1449-4f90-b079-ba038b5b081a-image.png]

@SteveITS said in NAT 1:1 configuration in HA-CARP mode: For your IP alias I think /32 is wrong: @viragomann said in NAT 1:1 configuration in HA-CARP mode: So there is something wrong with this IP or the CARP VIP, which you should troubleshoot. Check the logs for hints. Hooking up the IP alias on the CARP VIP is necessary for proper failover. If you just set it on the interface it can never failover to the secondary. Thank you both for your help!!! I've set up a new carp just for this type of 1:1 NAT situation and I'm doing a port forward.

@Froginou14 Thankyou for your kind attention to my topic, I tried as per your instructions but issue is still same it is saying dns prob finished no internet access if I pass traffic through squid by typing IP of this firewall in proxy err connection timeout is showing

@jasiu82 Ah yes, on the phone you may be limited to running only one VPN at a time, like on iOS. https://tailscale.com/kb/1105/other-vpns. Otherwise it might be possible to set it up so that tailscale only routes traffic from the apps that want it (roon in this case). I have not looked into this at all, but perhaps this provides some insight into how it can be done: https://www.reddit.com/r/Tailscale/comments/15e9m6m/routing_specific_traffic_through_exit_node/ But on the other hand, the tailscale client on your phone will find your "home IP" by checking with tailscale's servers. And they only know what the subnet router on your home network tells them. So when you say you run "all traffic on NordVPN from the pf4100", how do you achieve that? If you have policy routing that routes any and all traffic on your LAN via your NordVPN tunnel... Then the way it should work is that the Tailscale subnet router will also find it's way out via NordVPN... So even if you only run tailscale on your phone, it should anyway end up inside your NordVPN connection, a tunnel within a tunnel. But even if your phone no longer uses NordVPN, from a privacy standoint I suppose it really doesn't matter since it's you that initiates a point to point connection to your own network. So the fact that it goes to your IP directly doesn't matter since it is fully encrypted and there is no way for anyone to even know what's going on inside... regardless if it's roon or some other server you are accessing inside your network.

@tomsawyer2k5 other than maybe setup a new machine with the software.. I would assume it should have the details to login built in, or ask the user for the info, like their username and password, etc.. For all we know the machine that was not working, they put in some bad info when it asked them.. Typo'd IP or fqdn they were suppose to put into the config on setup, or username/password, etc.

@Jarhead i limit both internet access and inter vlan communication. I think the complete ruleset would be a bit much :) In principle, there are rules that, for example, allow all devices in the home VLAN to access destinations on the Internet via HTTP/HTTPS, but there are also rules that allow all devices in the home VLAN to access services in the other VLANs. For example, all devices may contact the NTP server in VLAN X on UDP 123. However, I now have to maintain the same rules for the Wireguard VLAN, as these are virtually the same for me as if they were devices from the home VLAN. So now I also have to create a rule that allows all devices from the Wireguard VLAN to access destinations on the Internet via HTTP/HTTPS or the rule that they are allowed to access the NTP service in VLAN X. That's what I mean by ruleset copy. If I now create a new rule for the home VLAN, e.g. that they are allowed to access a DNS in VLAN Y, then I must also create this rule for the Wireguard VLAN. This is a bit tedious. It would be better if I only had to create a rule for the home VLAN and didn't have to worry about creating the same rule for the wireguard VLAN. I don't see how aliases could help me in this case. Maybe i have to mention that all subnets are on different physical interfaces. So basicly each subnet/vlan has its own physical network interface.

@adude42069 Don't confuse random, ephemeral source ports (which is the scope here with the random port translations in outbound NAT) with destination ports on which services are listening for connections (Which is the scope of IANA registration).

@johnpoz Thanks for the reply. The metro interface address at building A is 192.168.0.252. Building A WAN address is the ISP address, building B WAN is 192.168.1.252, the gateway IP assigned to the metro at that location. I know the setup isn't correct. I should have the firewall address as the gateway with a route to other networks setup such that all traffic not seeking another network, just goes out the WAN address and when traffic is seeking an internal network, it gets properly routed. However, when I do that, it doesn't work. I think it's because I have yet another pfsense firewall at another location with it's own ISP/WAN. Dual WAN's from a single exit point are easy, but I haven't figured out how to make it work reliably if one ISP goes down to send traffic out of another networks WAN. For now, it "works", I'm trying to see if I can solve this one issue and clean up the rest down the road. Thanks.

@Gertjan It was standard sutiations, ISP support didn't understood pfsense so they told me that i must make port forward like on ptlink but issue was that they forgotten disable firewall on router. Since it was on bridge mode but firewall blocked input.

@scapino So you have network 192.168.2, and a network 192.168.0 on pfsense.. There is nothing to do, pfsense auto connects networks it directly attached too. If you want some client on network A to talk to network B that are both attached to pfsense, you would need your firewall rules to allow for it. You would have to bypass any policy routing you might be doing that shoves traffic out a gateway or vpn. And the destination IP would have to be using pfsense as their gateway, and their host firewall would have to allow the traffic from this other network.

I definitely haven't ever had issues registering Yealinks phones, we aren't using FreePBX though, I think maybe change the post title to be about 3CX? Doesn't sound like a Yealink specific issue to me. As for why it worked on the Sonicwall, this is one of the reasons I don't like sonicwall and most other "enterprise" firewalls, they do too much for you "automagically" so then when things don't work it's hard to know why; since we can't always know why it worked in the first place lol. Anyway, anti-Sonicwall rant over. So some devices register fine, do they make calls OK or just register? Same subnet and all that I presume? If you do a pcap, can you see the Yealinks trying to reach out on 5060 and just not getting a response?

@Djkáťo The one and only question that answers your question while answering me : do you have a working Internet connection ? If yes, then nearly all is fine, and you can stop looking, as you've already mentioned what your current situation is : its doesn't break your internet access if your WAN IP is a RFC1918. But you can probably forget about NATting so you can make internal (on the pfSense LANs) devices accessible from the Internet, as you have no access to the ISP equipment to do so. If your "TP-Link Archer VR300" is truly working as a modem, its just converting POTS VDL signals to "Ethernet" signals and it doesn't do routing , firewalling etc. Its not the "TP-Link Archer VR300" that has a WAN, and a DHCP server that gives you the "10.101.37.22" pfSense WAN IP : this "10.101.37.22" comes from way up, somewhere from the ISP. Why they do so ? There is the classic $$$ rule : they have no more free routable IPs left as IPv4 free available stock has been sold out meany year ago, and what's left has a huge price tag. Its seen before ; you want a real routable IPv4 ? You $$$ or €€€.

I have noticed that the Unifi Controller software has become increasingly dependant on background links "phoning home". Last time I ran a local traffic audit I found packets from the controller to muliple mystery sites. After adding firewall rules to block the traffic, I found I could no longer adopt new devices. Maybe check the current documentation for your controller version for required TCP and UDP ports. cheers

@NickJH This would require options to state external and internal ports and the proper rule association for each. A bit complicated and it's not, what NAT 1:1 is meant for. The sense of 1:1 is to map in external IP to an internal and also the other way round. While port forwarding is meant to what it's name implies. And if you forward a port to an internal IP you usually also want to pass this certain traffic.

@rjcab said in Issue to manage pfsense from internet: It accepts when I do from LAN but no from WAN whereas traffic seems come in :-) And that's a pretty good default security setting. But you've decided to admin this device also from 'the internet'. I'm pretty sure the device has settings, so it's time to inform the device it should also accept connection from the Internet. Exactly like "MS RDP".