No idea what OPNsense does for DNS. But it sounds like you have that and pfSense configured completely differently.

You do undestand fin_wait 2 is normal after fin.. Normally this is a faulty application.. And you sure your not looking at old states..

Why exactly do you even need nat reflection - just access the http directly.. Does your port forward work from outside… Then your down.. There is zero reason for nat reflection.. just use a host override to access the local IP be whatever name is you want that you use on the outside.

I ended up abandoning this, changing the IP scheme at one site and then set up a site to site VPN.

Yeah, the workaround is quite easy but it wasn't the first thing I thought of. I wish it had been mentioned somewhere, not sure where though…
Anyway, thanks for your help :)

@new2pfSense2017:

I have confirmed that my pfSense router is connecting properly to VPN A.  I am unable to get the VPN B-enabled DD-WRT router to tunnel through the pfSense router. The connection delivers the requested web pages using VPN A's exit point, but does not persist to VPN B's exit point.

I would note the following for future reference:

https://doc.pfsense.org/index.php/Connectivity_Troubleshooting

I use a VPN exit location (Germany, let's say) on pfsense. I use a separate VPN exit location (Paris) on a client on the LAN of the pfsense router. The client still shows DNS exiting from the client VPN location (Paris), not the pfsense router location (Germany). This is accomplished without the use of opening ports or "VPN pass-through."

I would run through the connectivity troubleshooting with a client connected directly to the pfSense, leaving the second ddWRT router of the diagnostic test and note your findings. Also check your NAT settings on the pfsense router. Take a screen grab of your Outbound NAT settings and post them here.

I'm still stuck on this.

Is there anyone who can please give me some direction on how to setup pfSense for Join.me or possibly help me debug what is going on?

Andy

@dotdash:

You didn't mention you were running a double NAT and had multiple interfaces with the same gateway. If you had a wan with a public IP and multiple IPs on the subnet, the instructions I gave would work fine. I doubt if anyone is going to be able help you running a strange config like that. What is the purpose of having multiple interfaces going to the same gateway? AFAIK, you still can't run multiple routing tables in pfSense.

Sorry, IP-adresses were just an example, not using double NAT.

Anyways, I got this figured out now. I got side-tracked with proxyarp, which is not necessary in this case.

How I solved it?

Just added more WAN IP's as Virtual IP's with Type Alias (as they can be on the same subnet as the physical WAN). Added these Virtual IP's and also the physical WAN IP as an alias group ("ALL_WAN_IPs"). Added PAT-rule using the "ALL_WAN_IPs" alias. With Round Robin with Sticky Address.

It seems to be pseudo-sticky though. Clients uses different WAN IP's on different connections. My understanding of Sticky Address was that it uses the same WAN IP for the all connections based on the source (client) IP.

One thing that I still don't understand is that the clients never seems use the physical IP-address from the WAN interface, even though it's included in the Host Alias "group".

Well to be honest nat reflection in itself is an abomination that should be avoided… Its a work around for bad design.. Have yet to hear a valid reason for its use.. You have either hard coded an IP, or don't correctly use dns..

Users misunderstand the rules all the time.. There are loads of threads where can access the web gui from the wan..  When in fact what they are doing is accessing the wan IP from the lan..

For future folks that make the same mistake I found the problem: When trying manual outbound NAT I had setup a virtual IP of 10.10.1.200 but had the interface set to LAN instead of localhost. Once I changed the VIP interface to localhost it worked fine. Hope this helps someone in the future.

Nat is processed before the firewall firewall rule is allowing in what NAT is doing..

Its always best to actually post a screenshot of your question. So everyone is 100% of what your seeing and what your question is about.

There is a fix for this in 2.4.2 now. It should be in snapshots later today/early tomorrow.

I should have pointed out that the article I linked to wasn't an exact match for his issue, but he should be able to change the 127.0.0.1 to his LAN DNS IP and get the same result.

@chpalmer:

trust it over the Comcast router/modem any day.

I don't trust anything Comcast does.

@johnpoz:

"WAN  192.168.128.0/17"

Huh?

That's the outbound NAT rule, so 192.168.128.0/17 is presumably the LAN network.

However, the "Huh?" is appropriate though.  ;)

Hi @andphil2,

Attached is a Visio of my network. My VCS-E is on the LAB Network. Hope that helps!

The ports 5060/5061 and the media ports have WAN rules to come in. Outgoing, I'm allowing everything.

HomeLAN.png
HomeLAN.png_thumb