Before working on VIPs, NAT, etc… I recommend taking a look at your subnets.  /20 subnets have 4096 hosts available.  Your LAN3 at 192.168.254.0/20 is also not a valid network address.  The correct network address for that subnet would be 192.168.240.0/20 (If you're really trying to use /20 subnets). If you meant /24 (aka 255.255.255.0), you might want to correct that.  A /20 subnet could probably use further segmentation if you're really working with 4k clients. Good luck!

Yes..

If you want to forward port 80 your destination port range from and to should be set to http. For 443 from and to should be https. Make 2 rules and keep it simple.

Thank you for your prompt reply. Your suggestion worked immediately. I was confused by the description (redirect target IP - internal IP etc). I didn't realize it would also accept 1.2.3.4. Thanks again!

That function is in /etc/inc/util.inc which there wouldn't be any way to skip just that one function in that file, and that file is loaded on every page that uses the configuration libraries (which is every page used by the GUI, essentially) Of the possible explanations, a corrupted filesystem or failing disk are most likely. Especially if it happened out of the blue without any action on your part causing it.

Group like servers within subnet boundaries so you can include multiple servers with one subnet entry. Define and use aliases for the source addresses.

You need to assign an interface to the OpenVPN instance at Site B and make sure the rules passing traffic into that OpenVPN DO NOT match anything on the OpenVPN tab but do match on the assigned interface tab. That will flag the states with reply-to so reply traffic will be sent back through OpenVPN instead of according to the routing table. Or just shorten the TTL on the A record in DNS to something like 5 minutes a while ahead of your move (how long depends on what your default TTL is), shut off the server, change the DNS, move the server, and by the time you get there the new address will have propagated everywhere. Then just set the TTL back to something reasonable and you're done.

@tomli: Hi all, My pfsnese have one Wan IP: 192.168.211.1/24) and one Lan IP 192.168.1.1/24. I need to install external package for my pfsense. Therefore I need to configure my Wan to use my Public IP pool address, for example: OutBound NAT You don't need to configure NAT to be able to install external packages. Having correct IP configuration on WAN interface is more than enough for underlying software to connect to package repo - it will just use your WAN interface to do the job. NAT is needed only for your client machines behind pfSense, ie on LAN interface.

1st: are sure you will really receive incoming packets on your VPN interface? You should have real IP on your VPN interface to accomplish this. 2nd: add incoming NAT rule for external access, check FROM SOME OTHER LOCATION and watch in States for connections to your internal server. Connection would not work now, but you should see connection attempts to your internal server. 3rd: go to advanced outbound NAT, create a topmost rule: interface: OpenVPN source: any port: any destination: your internal server IP (type: network, your IP, network /32) port: specific port or any Translation address: Other subnet and type in your LAN address in network format with /32

Your pfSense-01 does not know nothing about 192.168.100/24 network. Add a static route to that network with gateway pointing to pfSense-02, make sure you add rules on pfsense-02 on WAN interface permitting access from WAN network to LAN network/host/s.

Hi, I was working with SonicWALL in the same network layout.  Double NAT, yes, maybe but the first one do nothing.  It's the cheap mandatory router from Bell in Canada, province of Quebec.  We have to keep it for 'Fiber TV' (and their IP phone but I don't use it due to the cost) But the good new.. I kept the instruction by doing regular firewall rule like I did before without result… but this time, I didn't use Aliases.  I put direct IP and Ports into the Rule.  I also cleared the State table because it look to be a must when changing rules/NAT. It work fine and pfSense keep his place for now!  Compared to SonicWALL, the interface is nice to work with.  Aliases is a bit painful to use and we don't have the grouping option.  Protocol is not in Aliases like SonicWALL…  Like I did, a group for PS3 that contain all TCP, UDP ports and we set a rule for PS3 object group instead using multiple Rule for a single items if you understand what I mean.\ Thanks a lot for your help.

That's something you'll have to ask in a forum for that ASUS router. pfSense can use VPNs and DDNS when it's behind NAT, if ASUS can't, it's a problem with the ASUS router. Perhaps you can replace the ASUS firmware with Tomato/Shibby, DD-WRT, or something else with better capabilities.

@helgew: Has anyone found a solution yet? Same problem here. OK, answering my own question here… with a gateway named 'VPN_Gateway' the following works for me: # grab our new IP address, edit the config file, and reload the filters ip=`$ifconfig $iface | grep ‘inet ‘ | awk ‘{ print $2 }’` xml ed -L -u ‘//gateway_item[name=”VPN_Gateway”]/gateway’ -v $ip /cf/conf/config.xml /etc/rc.filter_configure

TLDR: Use NAT rules to forward all ports, or less, to your XB1 in Firewall -> NAT -> Port Forward tab. Be careful of the order if you have other NAT rules and UPnP. It's a double edged sword really. No network gear exists that is performing NAT "magic" that really guarantees open nats without a sacrifice elsewhere. What your netgear is really doing is forwarding all ports to your xb1, think like the old DMZ IP setting. The way to do the same thing in pfSense is to do just that, forward all your ports via NAT rules to that one xb1 IP. Realistically, it only needs to be 1024-65535. There are a few drawbacks though. 1. Lets say you do this, and forward all the ports. then you need to forward a port for a teamspeak server or something on your network. You must put that teamspeak rule above the "all" rule for your xbox. This also means that if you happen to have a game that needs that teamspeak port by random chance to be forwarded to your xbox, it won't work. It will be forwarding game traffic to your teamspeak server. 2. I believe, and please correct me pfSense guru's if I'm wrong, but the UPnP that some services need on your network will be overridden by the all port forwards NAT rule as I believe UPnP is processed after explicit NAT rules. For example, Skype uses UPnP, if every port for both TCP and UDP is forwarding to your XB1, then skype may not work. pfSense Guru's, I don't know if this is correct, but will pfSense skip over a NAT rule if the IP it is to forward to is not in its ARP table? i.e. machine is turned off.

@leonilotrigo: Please help, i have a problem with my pfsense PC router. 4 WAN 1 WAN 3WAN is online, there is 1WAN is offline, but i try testing direct to their gateway there is an internet. In the dashboard shows offline.. Please help to fix this.. thank you. If you're in need of help you should probably ask questions instead of just writing words. You have 1 pfsense against 4 public WAN? The wan looks down but does route? the packets drop at what point?

While talking with someone else they mentioned a GRE tunnel. To my knowledge a GRE needs a L2 device at either end. Since this is OpenVPN on a VLAN GRE wouldn't work.. would it? I mean because I can't assign a VLAN tag and a GRE tunnel to the same interface - correct?  :-\

Do whatever makes you happy.. Even if you had 100 companies, I would think a simple list with the company names would be easier to click then editing a xml file.  But whatever floats your boat.. Shit a 1000 companies even..  Why would you not do netblocks vs individual IPs, etc.