@red_cat1930 said in Port forward from LAN to WAN with failover: oundrobindns.txt –start-- X.X.X.X anyhost.anydomain Y.Y.Y.Y anyhost.anydomain --end-- 2. add addn-hosts=/roundrobindns.txt to DN One simple way to do it now is just to 1:1 NAT Mappings your WAN to your Failover. So go to Firewall / NAT / 1:1 and add an entry for your Failover interface, with the Failover IP as the External IP and the internal IP being the regular WAN IP Sorry... this is the best SEO for this subject.

@Gertjan When you connect to your FTP server on the same LAN as your device (PC), have this FTP client using Active mode (?). : active mode in LAN just works fine, but can not login through passive mode. second ftp server to accept only LAN connections through 2121 is seems like good idea, let me work on that.

Now I'm confused. You have two guest hosts on esxi, one of them being the pf. And you have full admin access on the guests. So you can change the default gw on host1 to point to pf lan on host2. I suspect these two are on the same bridge or other common interface. As for the rest of the network, you can route eg all rfc1918 ip space to original default gw and keep everybody at bay. Perhaps I'm missing something here. Please elaborate.

Maybe there is an rather "easy" solution, NAT Loopback I was told. I run a service on a different machine and try connect to it using the DDNS-Address, where no split-DNS is used. If I can connect, the server should also be reachable from the outside. If I can't connect I am probably on DS-Lite. In my case, client and server are jabber IM, so it is running anyway and that would help me, if this really "works" as intended.

Should be no problem for HAProxy. :-) -Rico

No, the traffic doesn't get duplicated. It goes by the first match wins. So if the first rule in your rule set matches, it is applied and subsequent rules are ignored.

You're an idiot or a troll, I don't care. I don't have patience for people like you. Blocked.

At layer 3, you're right. It appears that the print drivers scan the local network at layer 2 looking for the printer, so while I could easily create ACLs (they are actually in place now), the systems on the "inside" network don't find the printer on the guest network. Thanks

@Mellowlynx To set a single IP in the outbound NAT, you have to select Network, enter the IP and select 32 for the mask.

@klausneil said in CREATE NAT TO SAME PORT ON DIFFERENT SERVERS: Hi, i need help in a configuration i dont know how make this but the problem is this i have a antispam server (192.168.1.2) your ip public is 190.89.21.11 and have ssh port (22/tcp); also i have a mail server (192.168.1.3) your ip public is 190.89.21.12 and have the same ssh port (22/tcp), what is the rule that can allow conect two different server with the same port or only can change the port of one they Yes i already did that

wow, sorry I didn't explain. Externally things like my phones & tablets seem to only have an IP6 address. pfSense 2.4.5 is between my internal IP4 network and the world. I guess the first question should have been: can external devices with IP6 only addresses be passed through pfSense to access items on the internal network (ipv4)? If so is there anything special I have to do to set this up. I have found things like in advanced networking like all ip6 traffic will be blocked by the firewall unless this box is checked. I am not sure if the previous NAT entries (that worked with ip4 -> ip4 rules) have to be modified for ip6 -> ip4 or it might be my ISP changing their rules and blocking more than they used to .

Just click the button to show advanced when you are creating the port-forward. Then put in the IP in source.

You have to add all your public IPs as IP alias (Firewall > Virtual IPs). Then go to Firewall > NAT > Port Forward and add a rule to forward port 443 to your OWA server. The destination is your virtual public IP. In the rule settings you can select that pfSense adds an assigned firewall rule automatically. With 1:1 NAT pfSense uses the entered public IP also for outbound connections from the stated internal device and the 1:1 conjunction is applied to any ports. This may be not necessary in this case, but is possible as well. However, using 1:1 NAT you must add firewall rules manually.

Hi, well at final all this it was by my ISP they make a wrong configuration in your cisco modem but well now all is right. Thanks to viragomann

nice