@KOM @KOM said in (SOLVED) Problem with client connect through static IP cable internet: Both pfSense and OPNsense are based on FreeBSD, 11.1 and 11.2 respectively. It doesn't make sense that you could install OPNsense based on 11.1 but not pfSense based on 11.2 on the same hardware. Oh well, at least it's working for you. 11.1 and 11.2 respectively. A lot of things did not make sense in this whole process Maybe it was the hardware, maybe it was pfSense. Same to me if I am honest since OPNSense with the new machine installed/worked just fine and from the functionality they seem to overlap quite heavily. Works for me.

If your LAN rules allow traffic to hit Unraid, then the wifi clients traffic will pass as well. Are you sure the AP isn't blocking it for some reason? A packet capture on LAN while you run some connectivity tests will show if pfSense is even seeing that traffic or not.

@maverickws said in IPv6 over IPv4 Tunneling: You don't need to configure NAT for this. The rule you need is a Pass on the WAN interface (Firewall > Rules > WAN), I believe allow any to any or any to host and on protocol (not address family) you select IPv6 I think that's it. Yes, I did that. Protocol IPv4 IPV6 Source any Destination (tried any or my VM IP) and this rule does match the state that is created when I ping out. But still after it times out incoming connections are dropped and don't show up in firewall logs. So it's inbound NAT that isn't working and I suspect it has to do with that error I'm getting in the original post.

Thanks @Nitrobeast - really appreciate the help!

Finally i solve it myself using this link https://docs.netgate.com/pfsense/en/latest/interfaces/using-public-ip-addresses-on-an-interface.html The idea is to not ANT second /subnet as it s already an Public IP subnet.

Hey, Thanks for the detailed video, I have followed the steps and used the template provided in HAproxy to send traffic to same backend server using host names in the ACL, however when I hit the first site for example site1.com, its working fine, but when I hit site2.com, its not working, any idea why this config is not working

https://docs.netgate.com/pfsense/en/latest/nat/accessing-port-forwards-from-local-networks.html -Rico

No. Port forwards need to be configured on each incoming WAN interface.

@KOM Total mess today but hey, now it rly works because I did configure static ones on the servers.

I was going to next suggest that you packet capture on both WAN and LAN to see if the packets are hitting and where they're going but you figured it out. Glad to hear you've got it sort of working. You want your modem in bridged mode so that it acts like a dumb pipe without any firewalling or NATing. If that isn't possible then you're stuck with double-NAT where you forward ports on both your modem and pfSense. Blech.

pfSense does not use static source ports by default due to a security risk that allows attackers to potentially use that to intercept data. I don't remember all the specifics as it was long ago tat I read that (assuming Im even remembering it correctly.) For your gaming purposes, there is nothing wrong security-wise with adding an outbound NAT rule to make traffic from your console use static ports.

[image: 1560789623357-thumbnail_20190617_122334_burst01-1.jpg]

@cdegroat82 Well, this is not something pf related. The combination of pf vlans, esxi vlans switced based vlans and l3 routng at switches can become quickly overly complicated and its easy to overlook something. Hope the rebuild has solved it :)

This has been gone over like a 100+ times... You do not need to forward 20, ever!!! You need to forward the passive ports your going to use, and you need to make sure your ftp server hands out your actual public IP vs its rfc1918 address. But again as rico says ftp BAD! ;) Use sftp and now you don't have to worry about any of the active passive stuff on the data channel.

By default pfSense translates source addresses of responses back to the external address the request was addressed to when the packets go out. Can you provide more details?

good news, you are welcome, I'm glad I was helpful