I take it these .2 are vips you have setup. What is the source of this traffic? Is it rfc1918 in your network - or public being forwarded to pfsense rfc1918 wan IP? Why do you think you want to do this? What do think it will accomplish exactly? But sure you could outbound nat into your lan from your lan vip.

@yanafig Do you need the mikrotik router between the ISP modem and the pfsense box? You are probably having a double NAT problem right there, and if your ISP modem supports NAT, maybe even a triple NAT problem... yikes! The best way to do this, if it's possible from your ISP, is to setup the modem in bridge mode, put the public IP address from your ISP modem on the WAN port of pfsense, then do all the port forwarding on the pfsense box. Works almost every time, unless your ISP does some funky stuff upstream on their network. Jeff

Verified as bug in 2.4.4 https://redmine.pfsense.org/issues/9296

No. It does not.

The only package currently available is ClamAV which is part if the Squid package. It can scan cached http(s) traffic. Steve

I think I found a solution.. Load Balancing... I will dig into this

I find the solution Thanks

A policy routing rule on the LAN only works for connections created by that rule -- new connections leaving the LAN and exiting the firewall (in this case, via IPsec). The connection that didn't work are in the opposite direction -- Permitted by the rule on the IPsec interface, NOT the rule on LAN. And putting a gateway on that rule would not be valid.

We use pfSense for another installation with Sony Playstation clients. Those devices are really stubborn when it comes to port randomization, they just wont work with it. That's the reason why we made it the default which doesn't seem to be a good standard. Cisco seems to be doing a mix of both with iOS. They use static ports as long as there's no conflict and only if they detect one, they gamble a different source port.

I understand, and I have mitigated some problems like this, adding in my hosts file the IP 10.0.0.3 to the mail.domain.com domain, however I have 10 VMs using the same service, I have done the same action in the 10VMs, my question is why does this happen? Why Pfsense has that behavior, if everything will work fine, I shouldn't do this, that is, there is a problem because this is a temporary solution, if everything will work fine I would not have to make any changes to my servers to add that data. Thanks @johnpoz

So here's the resolution. Writing things down for my previous posts helped me to debug it. The answer was: create a new interface for the openvpn client use and then update the NAT rules to use that new interface. So to setup a vpn for your subnet behind pfsense, you need to do these three things: setup openvpn client create a new interface for the openvpn client dev create NAT rules for the new interface Point 2 is not necessary if you have exactly one openvpn something (=client or server) on pfsense. But it would be good practice to always create a new interface, as it avoids errors later on.

@malbor said in FTP Server behind PFSENSE not directory listing (active/passive connections): nat over ports 20 That never going to be needed - there is never a scenario where you would port forward 20.. Understanding how active/passive works is step 1 https://slacksite.com/other/ftp.html Where are you testing from? You need to test from outside... Throwing nat reflection into the mix, ie trying to hit your public IP to be forwarded back in from a client on your network is going to be just more confusion for you. If your doing active ftp from outside... The only thing required is port forward 21 (control channel).. Since now the server will make the connection to the client for the data channel.. So unless your filtering outbound connections server would be able to talk to the client. Where you could run into issues with that is the client firewall not opening the inbound ports for the data connection from the server. In passive connection to the server.. You need to make sure that the server actually sends your public IP, and not its rfc1918 local IP. You also need to make sure that server uses a specific range of IPs for its passive ports, and you forward these on pfsense to the server, say 5000-6000 or something.. Where you run into a problem with that from the client point of view is maybe those ports are not allowed outbound.. So again.. Understanding how the protocol works, what your doing active or passive is step 1.. Another issue you could run into is if the client is say windows cmd line ftp command, it can not do passive only active. So even when you send the pasv command, it doesn't work.. Since the client is only capable of active. but there are batch scripts that require this type of connection. That gets me to think your using the windows ftp client, which can not do passive connections.. You know sftp/scp can be scripted as well.. And now you only need the 1 port.. Have you read https://docs.netgate.com/pfsense/en/latest/nat/setup-ftp-server-behind-pfsense.html

Nope no magic there - I would assume it just takes the first IP it finds in the alias.

What I ended up doing was using pftop, filtering on the dst port (which should be the internal port on the internal host), and looking for established connections.