Thank you jimp. On my question to them, Molotov TV confirmed to me that they cannot warrant anything if I do not use my ISP's DNS servers. Well: my chosen servers are cloudflare's and Quad9: nothing to do with my ISP. So I used this setup two or three evenings with, on the pfSense firewall, formarding mode unchecked (off). I could watch TV through the Apple TV and Molotov, everything worked. To be extra sure, I tried as a last attempt to check again forwarding mode, to return my setup exactly to what it was in the first place when my tests failed. Il should fail as it did before. But it now works beautifully. I double-checked and rebooted the firewall. Still works. I feel like a fool with my silly questions. Maybe my little 127.0.0.1 DNS server knows it all and no longer need any assistance. Thank you for the reply. It helped a lot, and my Apple TV now works, hopefully with DNS over TLS using Cloudflare and Quad9's DNS servers.

@Grimson said RTFM: https://docs.netgate.com/pfsense/en/latest/interfaces/interface-settings.html#private-networks Thankyou Grimson, after Reading The Fine Manual. I concluded that since the WAN IF of pfSense router actually does not have a public IP and has a IP Address 192.168.1.253 RFC1-918, I think it is secure from outside attack over internet even after turning off the block Private IP Address and loop back address and this is the proper way to configure and it's not a work around. Please correct me if i'm wrong. [image: 1554208890853-wan-if.jpg] [image: 1554208900093-rfc-1918.jpg] Thanks

Hello jimp, thank you very much, the new rule works. I'll never thought of using outbound rules to change inbound port forwarding. All the best, Ivo

I managed to ... sort of solve it. Netgate support told me to try and put each tunnel on a different internal IP alias. After doing that (and creating the relative NAT and firewall rules on the border box) the second tunnel got up. I still have no idea why this is the case exactly, but I'll take the working tunnel over understanding pfsense's IPSec and/or NAT mechanics for now.

https://www.netgate.com/docs/pfsense/nat/forwarding-ports-with-pfsense.html

@samax2207 capture your SIP traffic and analyze it

RTFM: https://docs.netgate.com/pfsense/en/latest/nat/accessing-port-forwards-from-local-networks.html#method-2-split-dns

What? Post screenshots of all of this please.

@rosenstand Hi have you got this sorted out? or does anyone else have a fix for this :)

Hello Derelict, Your advice has worked very well. Thanks

gosh found the problem for that :) i used the wrong gateway, so changing Dest. Address to VLAN10 address did it for me thank you very much ps can't edit the post above due spam detection

Put the IP Alias VIP on LAN. Put a port forward on LAN forwarding connections to the VIP:443 to the Web Server:443. That will override the connection to the WebGUI. You will still get the web gui on the LAN address:443

@jimp Thank you very much for the fast repsonse. SOLVED

Thank you kind sir. I appreciate the advice. B

I downloaded a different VPN client after spending far too long trying to solve this and it seems to be working fine. It is just bad timing that it started happening with the change in firewall, a spurious correlation. Everything was configured correctly and happening on multiple machines and different users.

Okay made the change to the 'dest'. Thanks for the help fellas..

@wurstsemmel said in Fort Forwarding SMTP - One wan works the other does not: Sorry for reposting. If I set the corresponding gateway in the wan interface configuration, everything works as expected. I am confused, as the guides for CARP clearly state NOT to do this. I'm not sure where you read that, but the HA guides don't say not to use gateways on WAN interfaces. Perhaps you misunderstood some other HA point. All WAN-type interfaces should have a gateway selected on their interface configuration.

@periko said in nat for 2 email servers with just 1 wan?: Is possible to NAT traffic for both servers using the same email ports 465/993 on each one? These are ports to deposit mail for sending (smtps) and consulting mails on a mailbox/server imaps (993). These two ports are probably used by fat-mail-clients like Outlook or Thunderbird. Take the more intelligent (smaller ?) user (== domain ?) group of your 2 mail servers, and say to these guys : "Hey, guys, if you see somewhere that mentions port '993', change it for 994' - idem for 465, make that 466." Now you can NAT easily on your side. Most people don't care less what they have to choose, they only setup a mail clients ones, and will redo it when their computer breaks down after X years. They don't know why its "465" or "993" anyway. Note : this won't work if it concerns port 80 or 443 .... people don't know that they use these ports several times a day