Were you able to figure out another solution than the "three proxy layers?" I am in a similar situation. I have pfSense 2.3.3 nano on a Firebox x1250. I have Squid 3.5 and SARG 2.3.10 running on ubuntu server 16.04. I tried to create a NAT rule to forward all traffic on the LAN requesting port 80 to the internal ubuntu server running Squid on the default set port of 3128. I want to set it up as a Transparent Proxy but not having any luck. I've added this to the /etc/squid/squid.conf file: http_port 3128 transparent http_port 80 vhost Instead of the older method (which I've read stopped working after Squid 2.6): httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on Thanks for any help or advice on what you did to get this to work! Anthony

And https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki

https://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks Configure your internal DNS to resolve the FQDNs to LAN IPs instead of WAN IP.  If that isn't possible, enable NAT Reflection and try that.

You need a cablemodem in bridge mode and then pfSense after that.  If your modem is also acting as a firewall router then you're going to have problems.

" If thats the case then anything from my working LAN that needs to see the server is going through the router anyways (multiple subnets.) " But not through the nat engine.. For it to work the source has to be natted to the external IP.  So when 192.168.1.100 wants to talk to 192.168.2.100, he is using the public IP of pfsense to get there lets call it 1.2.3.4.. So now to send the traffic to 192.168.2.100 pfsense has to nat that source IP to 1.2.3.4 so that it can be returned through the same path..  If not you have a asymmetrical, and that part of it even stated in the rfc cited. a) A NAT's hairpinning behavior MUST be of type "External source IP address and port". What if your 2 segments are on a downstream router..  Now you have to transverse all the way up to the edge just to come back down.. Its always the same common theme with these threads asking about nat reflection - they don't understand how to resolve the IP they want to get to its local IP vs its public IP..  I agree if there is NO way for you to use the local IP.. Like a hard coded public IP in the application.  Or the system uses some method of finding the other system it wants to talk to via some outside 3rd party method that can only return the public IP..  Then you don't really have any choice. But I have not seen that case ever brought up in all my years here that I can recall.  So it seems it comes down to laziness..  I don't want take the time to resolve to the local IP and not have to nat if another segment, or just talk to the guy next to me..  So I am just going to use the public IP and make the firewall do extra work, and or even hairpin my traffic through its interface.. This is clearly not a optimal configuration - so it blows my freaking mind why anyone, that actual finds or is told there is another way would continue to do such a thing. dcol setup is clearly a boondoggle of massive proportions..  EV cert provide no extra security..  It might make business sense if your site is hit by the masses..  But from what I can make of it its some sort of file sharing system for doctors.  And is non-profit so he can only get 1???  But the lawyers and doctors want them??  But can not spend the few extra bucks for more??  Come on give me a break. Why would you spend $ on something like that..  So this forces him to use only 1 fqdn???  That has to talk to multiple ips which are really on the same box - so now he is running different parts of this application on different ports - and they need to talk to each other it seems?  So if I read that right and they are using the public IP..  This server has to use nat reflection to talk to itself even??  How and the hell could that be optimal.. If you don't read that thread of his and think its a borked config – you shouldn't be in networking that is for damn freaking sure!!  Or even IT of any fashion at all - shouldn't even be handling the support contracts ;) Normally how it should go when talking between networking engineers.. eng1: Hey look I have this setup xyz, here is the drawing here are the details.. What do you think?? eng2: WTF dude - that is borked beyond anything I have ever seen.. eng1: Really - how would you do it.. eng2: Well you could do ABC, here draw it up for you - what do you think. eng1: But how does Z work in that setup.. eng2: Like this - see the packets route here..  And now are not natted. eng1: Hmmm so all I have to do is X and and then it doesn't do all that extra.. eng2: Yeah eng1:  Well F me.. Thanks dude..

There should be no NAT config required.  This should just work with basic routing, assuming your firewall rules are good.  Post both firewall rules for the WAN & LAN interfaces, then blow away any weird NATs you may have created and start fresh.

NP..

As already mentioned - you could create a reservation for this server.  Or just set your pool to leave some IPs on either end or both ends of the segment for static assignment.  For example if using a /24.. set your pool .10 to .250 this leaves you IPs on both ends for static use.

192.168.1.235.61414 > 93.123.118.235.8989 Looks like your testing from inside your lan trying to hit your public IP to get reflected back in.. Nat reflection, that has nothing to do with normal port forwarding.  Did you enable nat reflection? If your box on 192.168.1.235 wants to talk to 192.168.1.28, why would it send traffic to 93.x.x.x?  I would have to assume both of those devices are on the same /24 ie 192.168.1 so why would you not just talk to the .235 direct.

Seems Photobucket is having issues. Attached my network diagram here. I've also tested a 1:1 with the attached settings: Interface: VPN External Subnet (one I'm spoofing) Internal IP: 192.168.1.0/24 (in the picture it is 172.16.1.33, but that is my test environment). Destination IP: *** EDIT ***I left this blank in this case, but I've since changed it to be just the source subnet I want to NAT. What happens in this case is the client can ping the spoof address of 172.16.2.1, but the response claims to be 172.16.2.33. HOWEVER, if I ping a different IP that isn't the default gateway, it returns with the right response. In short: I've solved my problem with a really simple 1:1 NAT (guess I should've tried it before asking). Hopefully anyone needing this can find it.    

@chpalmer: What version of pfSense are you running? Physical interfaces for both WAN's?  Or VLAN's?? Need more info! Sorry/ Its ver. 2.3.3-DEVELOPMENT However it has acted the same way on previous versions. Thanks! -Brian

So are you clients trying to go to 40.40.1.12??  While the box is right next to them on 192.168??  What is the point???  Just setup a host override to point test.com to your 192.168 address that it is being hosted on.

Well, it certainly doesn't hang anything. If you do this over VPN, well then that's a bad idea. If you want something less intrusive, use filter_configure_sync(). Not a fan of similar craptastic hacks like messing with something from CLI that's not supposed to be used from CLI at all.

OK… I got my script working. Turns out it wasn't the command that pulls the port from PIA that was causing my issue. It was the line where the CLIENTID is generated. It seems just adding the pipe the removes " -" made the difference. Not sure why but it doesn't matter. It's all happy now. CLIENTID=head -n 100 /dev/urandom | md5 -r | tr -d " -" However, I am having the same issue now that Elegant and qwertytheking are having with regards to a port change not applying at least right away. Like qwertytheking mentioned, if you access the port alias and save/apply it, it opens that port but until then, it's still closed. Is there a command or something that saves/applies these changes through CLI that I can add to my script?

I've just test it. If you change your Client ID, each client ID gets its own Port. So you can have lots of ports.