Thank you Derelict. The Host Alias feature is doing exactly what I need and want it to. Guess I had missed it when reading through the documentation.

Once you have a tunnel there is no need for 1:1 nat or any nat.. The tunnel is used to route the traffic to get to your network.. The whole POINT to a vpn.. If you were going to create a tunnel - there is zero reason not to encrypt it because its going over the public internet.

So one more oddity in the whole process. If I reboot, the port forward stops working. To get it working again, I simply just re-apply the firewall rules with no changes to them and it works again. Is there a way to capture a before / after that would assist in figuring out why it isn't working on the reboot?

@gertjan said in Cannot port forward: "not a valid redirect target port. It must be a port alias or integer between 1 and 65535": @freddyh said in Cannot port forward: "not a valid redirect target port. It must be a port alias or integer between 1 and 65535": The selections made under NAT/Port Forward/Edit; the rest left at pfsense default Interface: WAN Protocol: TCP Destination: WAN Destination port range: 443 Redirect target IP: 192.168.2.100 Strange, your are omitting the "Redirect target port" field. It should be Redirect target port : 443 en then pfSense will accept your NAT rules : [image: 1534259823312-dfbacfd7-24b6-425f-a5c5-dfa51fc730d1-image-resized.png] Gertjan Thanks so much. Problem solved. Its the small things that are overlooked. Its been a crap day solving problems that I didnt even see that one. Appreciated!

Also where did you come up with this 200.10.1 ?? That is not rfc1918 space.. Its owned by inetnum: 200.10.0/22 owner: Administradora BANCHILE de Fondos Mutuos Country: CL You do not just pull space out of thin air and try and use it, even if behind a nat. Your HOME Network should be using rfc1918 space..

When the reply packet was received by the firewall it had no route in the routing table for the destination so it returned Destination Unreachable.

Going to need a much more detailed description of what you have done and what you expect to happen. Screenshots would probably help.

@sammartin8935 said in I am using pfSense firewall, but...: to protect you from viruses and other security threats, in the end you will still need a good antivirus and VPN Needs a VPN why exactly? Sorry but your typical user does not need a vpn..

For whatever funky reason, a reboot fixed this issue. Looks like the allow any any rules were not being loaded correctly.

I stand corrected! ~Mat

yeah you should have primate domain setup as well, but you also wan to set your networks as lan as above in my pic. I would not suggest you disaable rebind protection, but setting specific domain as private is easy https://www.netgate.com/docs/pfsense/dns/dns-rebinding-protections.html [image: 1533545693238-plexdirect.png] [image: 1533546683315-direct.png]

You are probably going to have to post exactly what you want to do. https://www.netgate.com/docs/pfsense/nat/forwarding-ports-with-pfsense.html https://www.netgate.com/docs/pfsense/nat/port-forward-troubleshooting.html

You do not need to disable any outbound NAT. If the traffic from the mail server leaves WAN2 (or whatever your failover WAN is called), it will not hit NAT rules on WAN, only NAT rules on WAN2.

Hello Derelict, It is working fine now. I configured some new servers and it works charm.

If it were me I would want to figure out why. The server either pushes redirect-gateway def1 or it doesn't. The client either accepts and acts on it or it doesn't. The need to use manual push routes has all but been deprecated by the Local Networks setting in the server config itself. I would take a good, long look at all of the new options that have been added to the GUI config and transition to GUI widgets any custom options that are now implemented as GUI widgets.

@viragomann I understand. Thanks.

I don´t want to make a transparent bridge and won´t use the same network on both sides. So I try to add some static routes on both sides and disable the NAT functionality.

Outbound NAT does not route traffic. It only determines what NAT happens to traffic flowing out that interface when it is already routed that way. @jusschwa said in Can I hide/masquerade incoming IP?: So here is what my routing table looks like on the client: default gateway is to 10.10.10.82 over eth1 (data interface) 192.168.123.0/24 is over eth0 (management interface) 10.10.10.0/24 is over eth1 (data interface) What is this client? If that is its routing table and it is routing any traffic destined for 192.168.123.254 to 10.10.10.82 it is wrong. Unless there is policy routing or something present outside the routing table you provided there routing that way.

@johnpoz I am supporting a legacy system that custom accesses the files in code to bring down documents. The old language used does not support anything but ftp. I am rewriting it and will look at other solutions. For now, 24 remote office locations and 40 desktops, can't fool around. I use vsftp. Other FTP server programs will have settings that need to change just like this, you need to find them and set them on the FTP server config. I fixed it like this: On a Ubuntu linux server running vsftp To enable passive mode, set the following configuration options in your vsftp.conf: pasv_enable=YES pasv_min_port=30000 pasv_max_port=30099 (Any port range you want to try) pasv_address=(Fixed Internet facing IP address) Then open these ports in pfsense to the server under the NAT menu Port forward 21 to the ftp server port forward the same range from the settings above to the ftp server 30000 to 30099

@derelict ta, i will have another play. Although i didnt make any changes in the 4G router last time i had it working, although last time it was an Asus router with 4G dongle in. This time its Teltonika 4G router, so things could well be different. thanks again