Thanks.  It ended up being a configuration error.    I had a gateway defined on the lan interface.  I removed the gateway and added a static route for the lan subnets and everything starting working properly.

yes the port 66000 isnt the one that in want to use, just took an example:) no i just thought it would be nice to be able to access the router from the outside, i Think that i should reconsider to portforward my router. thank you for explaining.

Its named NAT 1-1. Why would you like to nat all ports to your internal ip? Is safer to nat only the ports that you need. If not, why having a firewall if you are going to allow anything from external networks to pass to your internal device? mmm maybe you want a DMZ. That will force you to have a local firewall on the device your internal IP is.

I opened all the doors, and it worked.

I got it solved  :) For anyone else in this situation: the port forwarding must be done by the VPN server as well as by pfSense. I was missing the part about the VPN server needing to forward the ports also. My tunnel was configured to use NAT instead of a direct connection, and it was not forwarding any ports. Once I changed this to use a direct connection and forward port 51413 through the tunnel, the problem was solved  :). [image: vpnprovider_tunnel_config.PNG] [image: transmission_port_open.PNG]

Not unless you also do manual outbound NAT to mask the source of the traffic so it appears to come from your firewall. The problem with doing that is that the remote client will hit pfSense, pfSense will forward to the server, but the server will not send the reply back through pfSense, so the connection will fail. If you use NAT to make it look like the connection between pfSense and the server came from pfSense, it would work, but the server wouldn't know where the traffic really originated.

Hey, Just giving this a bump – any thoughts from anyone on what to do next in terms of debugging/diagnosing this? thanks!

Thank you very much, that was the issue :)

@georgeman: Try setting Outbound NAT to Manual, and setting the option for "static ports", on all involved interfaces. If it works, then you can narrow it down to exactly what port/protocol/interface/destination you actually need static ports on Thank you georgeman, unfortunately this didn't work, after further problem investigation i finally able to pinpoint the problem, the remote server doesn't reply to openvpn client in pfsense (10.0.0.1 => 10.0.0.6) but instead it reply to LAN IP (10.0.0.1 => 192.168.1.12) why is this happening? after researching online i found this issue called masquerading,  any one can help me resolve it please. [image: YnRI.png]

You cannot use Automatic Outbound NAT with a proper/correct CARP configuration. You must be on Manual Outbound NAT and have the CARP VIP specified in the translation address of the rules. The only downside to that vs automatic is that if you add a new subnet, you'll need to add NAT rules for it. That's really all Automatic Outbound NAT does, is to add basic NAT rules for all "local" subnets.

I'm not sure how but everything is now working. and just for the record the 27777 port is still on my LAN and WAN rules. thanks for the support. Can close this now.

pfSense is up and running fine now. The /32 setting on the OPT interfaces was the issue!!! A simple balls up that had me completely lost until I had a brain wave last night. I should have guessed this earlier really. When the outbound NAT rules were autogenerated I kept changing them to NAT the whole subnet rather than just the interface address!!! This is the issue when you use a forum to ask for help you know you will ultimately look like a numpty when your error is found! Thanks for your assistance anyway it helped me think things through until I realised what the problem was.

Tks for your reply so far. The connection speed and stability through public internet is quite bad from Asia to Europe, while it is far better using the internal way through our MPLS (leased line). Your answer convers the part with the virtual address, which seems to be fine with pfSense. In the linked tutorial under "NAT IP" the description says one can only enter an INTERNAL ip as the destination IP, but in our case the destination IP should be the EXTERNAL ip of our hoster. Do I understand it right that way? regards, janosh