You may have still access to the internet over the gateway and to the public IP of the gateway but not to the internal address of it (WAN net) with that. If you want to block any traffic from LAN disable the default allow any rule on LAN interface, but ensure that you keep access to the WebGUI (Anti-Lockout rule). @user7364 said in Disable WAN Network reachability from LAN: When i disable the LAN > WAN Rules (auto created) under Firewall > NAT > Outbound everything seems to work. But i do not know if i need the rules for something. That's the NAT rule translating the source IP of outgoing packets to the WAN address. If you don't need internet access you may disable this.

Success! Got it working, with the PFSense / HAProxy in the middle. The trick is to enable SSL Offloading on HAProxy and importing the required certificates. Disclaimer: SSL Offloading is NOT supported for AD FS; Only use this in your lab, not in production environments: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-faq#x-ms-forwarded-client-ip-does-not-contain-the-ip-of-the-client-but-contains-ip-of-the-firewall-in-front-of-the-proxy-where-can-i-get-the-right-ip-of-the-client This thread can be closed. Kami.

You would set up a virtual address. https://docs.netgate.com/pfsense/en/latest/firewall/virtual-ip-address-feature-comparison.html?highlight=virtual Then either port forward or use 1:1 NAT to the second address. Plus some WAN firewall rules to let the traffic pass.

Your not understanding how it works.. Is what the problem is!! Your rules allow anything on the lan to go anywhere outside the lan... Which wan interface you use is via gateway group you setup.. [image: 1558173210668-wangroup.png] So you have this... [image: 1558173023972-outbound.png] If you don't want 10.0.0.22 to use wan 1, then you have to setup a rule on lan to only send it out wan2 - not your group.. If you allow traffic out from wan1 from the client - then YES the answer will come back via that interface.. [image: 1558173282293-answer.png] You could do say this if you only want that .22 box to use wan 2 [image: 1558173860220-somethinglikethis.png] Rules are evaluated as traffic enters an interface from the network its attached too... First rule to trigger wins, no other rules are evaluated.. So your rule says hey anything on the lan - go out this gateway group which includes both 1 and 2.. So yeah that is what is going to happen!! And then yes the answers will come back through wan interface it left on. If you don't want specific client to use the group, then force it out a different one... Keep in mind you need to make sure what happens wan 2 is down - then it could still go out the group and therefore wan1.. Depending on what you tell pfsense to do with the rules when gateway is down, etc.

@systemadmin said in Not able Access OPT1 through NAT: OPT1(192.168.55.26) is a Having DHCP IP which getting a IP from another Sonicwall Firewall. We want to give a NAT Access to the Machine which is having IP from Sonicwall firewall. That is reading like the devices on the OPT1 network are using the Sonicwall as default gateway. So you will get an asymmetric routing issue unless you configure the devices to use pfSense or do NAT on outbound packets on OPT1 or route the traffic meant to that devices over the Sonicwall. @systemadmin said in Not able Access OPT1 through NAT: Please find Packet capture for not working NAT rule: Can't find any IP address in the capture, so it says nothing about NAT.

@KOM Entiendo, muchas gracias

@Gertjan its on WAN and i am sure the server is accepting connections as when i use my default network setup ( virgin router only) the dayz server shows up to the community, but when i switch back to pfsense the server dosnt show

Hi Gertjan, Just wanted to let you know that I tried the nat rules like you said and it worked perfectly now. I was making a huge mistake while creating rules in pfsense but now i understand. I learn a lot today, so I'm very happy right now. So thanks you very much for your help. The next step will be to buy myself a smart switch like you said and put my server in another vlan so I might have another question soon :)

Couldn't resist could you? Can't blame you though.

ah, now i see the problem. double-nat. thanks for your help.

OK. The stupid modem/router wasnt translating correctly. In bridge it works flawlessy. The only difference from this and my other location is the router. Here i have a tg789vac from Technicolor and branded TIM (the ISP); the other one is a Dlink DVA-5592, is not branded and the ISP is Wind. (Italian ISPs). Guess that the dlink with only DMZ set up does also the static port and the Technicolor not. Good to know. Thank you for your help. Much appreciated.

So you want to access IP in the opt1 network, where that IP points to a different gateway.. If reading that correctly... Could draw it up to be clear - but if understanding your ? correctly... You have couple ways to do it.. You can either source nat so traffic from pfsense wan actually looks like it comes from the IP of pfsense in the opt1 network. Or you could host route on the IP your wanting to access so it knows how get back to the source IP via pfsense opt1 IP.. 3rd option would be to alter the network layout so you don't run into this sort of issue.

@tobijuan said in Re Routing: So i can assign a dest IP/port Why would you need more than 1 router... If you know the dest IP and or port - then you can just create the firewall rule in pfsense to send it where you want "gateway" Give an example of application your trying to route.. How is it you would need appID to determine what it is?

@scootr1975 said in Can't reach my domain from within my local network that points back to local network: I am host on my own server a website. I have all the port forwarding setup to reach it from anywhere but on my local domain. I know there is probably a topic on this somewhere but I can't find it. Can someone please help me. Did the answer above resolve your issue?

@9thplayer said in NAT Reflection mode for port forwards not working for internal IPs to access through Public IP.: To be clear, We are using internal DNS server, not using firewall's DNS. So why not add an A record to your internal DNS that resolves your FQDN to its LAN IP address which is method 2 split DNS? Much better than hairpinning out and then back in again just to reach a local resource.

@andrew-frowen said in pfSense and Skype for Business SIP issue with Private IP: Just to confirm our skype for business end users can call and the endpoint rings but no media flows when the call is answered, this is the same for inbound calls. Normal SIP phones also need RTP. Id be watching firewall logs for blocked traffic while trying to make a call and add firewall rules accordingly.

HTTPS or not, if the port is exposed and the stack is weak, it can be accessed remotely by attackers. Doesn't matter if you think you are not worth finding, scanners will find you. https://www.shodan.io/explore/tag/webcam