See the following: https://forum.pfsense.org/index.php?topic=117744.0 Also you won't be able to mix IPv4 and 6 in the same Alias unfortunately.

What do you mean released back into the pool? You can either 1:1 NAT inside to outside address or create a pool of outside addresses and let algorithms determine which outside address to use for outbound requests. You can, however, tell outbound NAT to use the same outside address for connections from a particular host until there are no states left from that host. Round Robin/Random with Sticky Address: Selects an address at random, but maintains the same translation address for a given source address as long as states from the source host exist. This explains it all: https://portal.pfsense.org/docs/book/nat/outbound-nat.html Also: https://doc.pfsense.org/index.php/Outbound_NAT#Address_Pool_Options Lots more options there. One of which might be a better fit since I can't really tell what you're asking.

Open up the resolver or forwarder whichever one your using, scroll to the bottom there you go host overrides..

Thank KOM NAT ok, but i forgot active services on destination ip for NAT.  ;D

huh??  What are you trying to accomplish exactly and why??  You need a 1:1 for why?  Can you not just port forward?  Why does a client behind pfsense have vpn connection, why would you not run the vpn connection on pfsense and then you whole network could use it if you wanted or could just policy route for specific machines or specific dest/ports to use it, etc.

That is something you might want from a roadwarrior vpn into your own network.. Not for a vpn designed to hide your traffic from your isp/local network, the IP your coming from to the sites your going to, and circumvent geographic restrictions. For what possible point would you need L2 connectivity to some vpn service??  Completely utterly broken!!!  Who/What would you be broadcasting for?

If game listens on port X - opening up port Y that nothing is listening on is completely pointless.

Well, whatever. The real point is "it's not pfSense." And how come this related to Nginx if before everything worked perfectly. I just changed routers…This is definitely pfSense setup problem. Glad you found it.

So you setup vip on one of your other IPs in your /29 and setup the vip on that and setup the outbound nat for that box your doing 1:1 nat to to use that vip? If you are going to do port forwarding with your other IPs, you want to make sure that your answering are going back via the correct IP, etc.  If I recall pfsense will auto do it correctly - but if your having issues you need to verify.. So you created all of the vips for your IPs in the /29 ??

And do you have issues when you turn off proxy?

thanks replying. i will be looking into it, if you care enough, it would save a lot of time by appending this to the docs. thanks in advance.

@johnpoz: "The 10.7.3.0 is not a VLAN. It is, as you said, layer 3 over the same layer 2." That is BROKEN setup - fix it, make it a vlan or change your mask to be /23 to cover your 2 /24 your running.  Running 2 different layer 3 on same layer 2 is BORKED and needs to be corrected. 10.7.2.0/23 covers your range 10.7.2.1 to 10.7.3.254 Thank you. Clearly I need to study up on subnetting. I will work on this today and see where it goes.

https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting pfSense doesn't care if the NAT host is behind another router or not. Port forwarding just maps the destination address/port on the incoming connection.

So I provide the link, and derelict says check the list per provided link and he gets a thank you and get nothing - wtf? ;)

That is correct.  Forwarding HTTP from LAN out the WAN. It was over a year ago i learned how to do it.  And from memory I thought i was able to forward all LAN traffic to a proxy server on the same LAN not out the WAN.  I just didn't like that because my proxy server was on my work computer that i used 24/7 and i wanted it on the corp backbone.  Anyways it sounds like there's not a simple solution that i've overlooked. Guess I'll just try playing around with the settings here at my home and see what i can figure out.

Security through Obscurity is not Security! What it might do is reduce the noise in your log, since you won't see all the bot traffic probing on 22 and trying to if your ssh open with user/password, etc. If this guy wants to be secure - I would move him to vpn to be able to ssh in with MFA that makes he jump through like 15 hoops and has 5 seconds to enter his code and then has to ssh from the box you let him into through 2 other boxes inside to get to the box he wants to get to ;) Then he will feel secure ;)  And make sure his passwords change every 3 days..  And he has to get a new cert for his vpn connection every other day..

I am attempting somewhat of the same thing with setting up a subset for my 3 xbox ones with upnp enabled.  Not much luck. This look related, but I am not sure on all the details. https://forum.pfsense.org/index.php?topic=103901.0

why should you delete it?  The next poor schmuck might have done the same thing.. Prob will try and file a bug report for pfsense ;)  You would think there was a million dollar reward or something for finding bugs in pfsense with how many times its mentioned, is this a bug in pfsense ;) Nice to see you didn't mention "bug" hehehe