good news, you are welcome, I'm glad I was helpful

@Rico port 53 is required for DNS on a CONTROL PANEL! for host. also the second server machine is hosting DDNS that also require DNS with default port "53" What im asking: IS there a way to route port "53 DNS" to pfsense and then from pfsense to machine 1/2 ?

You have to use Phase 2 entries with BINAT. You can make one phase 2 entry per mapping if you must do them individually.

I will do an upgrade for this FW ASAP, but as it is a production, I can't do that as quick as I want.

Confirmed issue with ISP provider, their mystery device is in fact a router and has its own port-forwarding rules. I had misconfigured pfSense to the wrong IP on the mystery boxes' network, issue resolved after configuring pfsense correctly :-)

You can't just use any public IP in private networks without getting into trouble. There are 17.89 million addresses reserved as private, so why the F you use public space? -Rico

@theRealPhoenix said in Issues reaching devices on my network (NAT Suspected): ping from 172.16.100.8 -> 172.16.100.10 If this is on the same subnet.. IE. not a couple of /29 or something then they are behind the same router interface. If they are on the same subnet then the traffic from one of those to the other never touches the router. That's handled as a switch function. Your router only sees traffic it needs to pass from one interface to another. If traffic meant for an address outside of the subnet then the traffic is directed by the switch towards the "gateway" address for the gateway device (in this case your pfsense box) to pass through it for another interface. If traffic is meant for another address inside the subnet then the traffic is directed to the other device by the switch. The switch will not send the traffic to an interface it is not meant for. That includes your router. :)

Oh crap, I found out what it was: Do NOT disable the firewall under System>Advanced>Firewall

@stijnroaer said in Public ip for mac address: they hand out a 10.x.x.x address Well you can not get to the at from public internet - it doesn't route on the public internet.. There is no way to get to a 10 address over the internet.. If you now what the ip is, you could prob get to it via vpn to pfsense, put a vip on pfsense wan that is on the 10.whatever/network and talk to it that way.

@McMeanF what you are hosting on host03!? if it's IIS you can just redirect port 80 or 443 to 10443. if it's Linux based i think you can also do that. i think you need to do port redirect on the host03 rather than on pfsense it self. i already have IIS that redirect port 80 to 443. so i think you should be able to do it on the host03 level. so then for your HAproxy you need to forward to 80,443 rather than 10443 and let the host handle the redirect to 10443. so port 10443 should be open on pfsense which it is if you able to connect to host03 from outside. this would solve your problem if host03 able to redirect from 443 to 10443.

It is very possible that a client device would prefer IPv4 over IPv6 if all it has is a ULA address and the destination is GUA (or even outside the ULA /48). If there is a setting to behave differently, it would be a setting in the client's stack configuration. Needless to say Advanced->Networking "prefer IPv4 to IPv6" is not checked. That is for connections from the firewall itself, not connections through the firewall. The firewall cannot tell the client which to use. It makes a decision based on the status of its network stack. A setting such as that on the client is what I was talking about up there.

@automate If you've removed the source alias from both, your NAT and corresponding rule look OK to me. There was a problem with the LB2120 in bridge mode Are you on the latest LB2120 firmware?

@johnpoz yes I have made it passiv too and portforwarded. I must use it because my hosting provider only supports FTPs and that's why. Normally I using sftp but here it still behinde. Hope one day it fixing this.

And what is in that alias? It must only contain one entry, an IP address. Do the contents of the table show up under Diag > Tables? Does it work if you remove the alias and put the IP address in directly? The rules have no matches, so there must not be any traffic arriving which matches.

Mmm, the only reason you would ever not see that traffic NAT'd when the NAT rule is present and correct is if it cannot create the NAT state due to one already existing. I suspect a state is synced from fw1 somehow and it prevents the correct state being re-created. If there are no replies to the pings that doesn't happen so you see the outbound ping requests all NAT'd correctly. You might be able to prevent that happening with stateless rules for example.... but you need the NAT state synced to fw1 in order for it to send the replies back to fw2. You might be able to use a port forward for that maybe. All pretty ugly! And you would need to replicate whatever you put in place so that fw has connectivity when fw2 is master. Steve

Create a special rule ("allow any to any") named "temporary firewall disabled" on each interface is a good idea. I don't have think about. I don't have read the hints because I'd like to make the contrary (no rules with nat). Thanks for all. I'll test as soon as possible.