OK, that makes sense. Thanks for the quick response.

Ohh looks like I resolved the issue by forcing all traffic through gateway :-)

Your right about the source being only opt1 good catch, I didn't catch that - sorry.

It's possible to use virtual IPs for forwarding, but it's not possible to assign 192.168.1.125 to the client LAN, since that IP is out of the server LANs network. However, you don't need to assign a virtual IP for what you intent if pfSense is the default gateway in the client LAN. If so, just add a NAT port forwarding rule to the client LAN for dest: 192.168.1.125:443 target: 195.78.228.226:443 and it will do the job.

@_neok said in Outgoing NAT'ing from a single IP: @jimp thanks for reply. I was able to make it work. There are some tricks to make it work well. Now I have to go. Tomorrow I write how I made it work. Bye Gabriel I had a rule to allow me to navigate my entire LAN through another gateway. I had to make an IP alias of my LAN by taking out the local IP in question. Along with that I set the local IP to go out to the internet through the same gateway over which is the interface that has the VIP associated. That, in combination with the Hybrid Outbound NAT and that's it. I was able to fix it. Thanks for help Best regards Gabriel

Never set Outbound NAT from source any. Set it to the inside networks that actually need NAT to happen. I would suggest you start by enabling automatic mode and trying again unless you can state why you need manual outbound NAT.

@johnpoz My configuration in: System / Advanced / Firewall & NAT / Network Address Translation / NAT Reflection mode for port forwards is set to "NAT + Proxy" and when I set to "Pure NAT", I can list the ftp content from LAN So, it seems a solution, as it works. But as I have set Squid Proxy, perhaps it's not a good idea to set "Pure NAT"? Otherwise, can I create a rule which simulate the "Pure NAT" setup with "NAT + Proxy"?

@kom The first link I glanced over before but I can now access the web server both on the WAN and LAN. I'm even able to ssh to it from LAN to OPT1. I don't remember if it was one of the videos you linked or some random third video but I didn't understand that request get sent out on a random port. So those source ports would have never worked. Sorry for not understanding that sooner. Thank you for the references and your time.

@kom said in Forward Traffic from Virtual IP to target behind WAN: OK. Now what about the captures? That's the only way to really see what's happening. I went the easy route and ditched my previous attempts. I just created Port Forwarding Rules for the required hosts. Not elegant, but works for me. Interface Protocol Source Address Source Ports Dest. Address Dest. Ports NAT IP NAT Ports LAN TCP/UDP * * 192.168.20.2 1 - 65535 192.168.1.2 1 - 65535 LAN TCP/UDP * * 192.168.20.1 1 - 65535 192.168.1.1 1 - 65535 Sorry for the delay (blame it on the holidays )

@johnpoz If we create 1:1 NAT then we have to create IPalias(VIP) for each public IP ryt?

@derelict Oh man... I knew it was something simple. I had done this once before and completely forgot about that "Don't Pull Routes" option. Thank you so much!

Thanks for your response. I have double check all the config and the problem was that this network do not have full internet connectivity. Only ICMP and DNS works. The solution turned out to be to disable hardware checksum offloads. Now all works fine. We can close this case.

Okay thanks for that. I think I have the split DNS working okay and will find out tomorrow when I turn the NAT reflection off.

Why do you have a VIP on WAN in the same subnet as LAN?

You should not need any floating rules. You do need rules on LAN that pass all of the traffic coming from the downstream router. It looks like you have that as all of RFC1918. That might or might not be a problem as you add VPN connections. I would move them from floating to the LAN interface tab. It's much more straightforward.

that would be a 1:1 nat... And to be honest really never a good idea.. How many freaking ports could you ever need to see unsolicited traffic on? Normally this would only be done when the customer is behind your firewall and they run their own firewall, etc. If this box is under your control - just forward the ports you need to it.

Sorry, but I've been studying documentation for a couple of days till now where Im really stuck :( Outbound rules: [image: 1545934796498-zrzut-ekranu-2018-12-27-o-19.17.03-resized.png] Port forwarding: [image: 1545934821311-zrzut-ekranu-2018-12-27-o-19.17.37-resized.png] and connected Firewall rule: [image: 1545934844786-zrzut-ekranu-2018-12-27-o-19.18.39-resized.png] Firewall passes packets: [image: 1545934896120-zrzut-ekranu-2018-12-27-o-18.26.39-resized.png] but blocks connections back: [image: 1545934948048-zrzut-ekranu-2018-12-27-o-18.17.22-resized.png] and I dont know the reason because Im not filtering LAN to OPT1 connections: [image: 1545935069532-zrzut-ekranu-2018-12-27-o-19.23.38-resized.png]