@johnpoz That's true, I also think that it can be changed. But if the vendor says it can't and the customer doesn't want to jump through hoops... I'm done. Again thank you very much for the time. I appreciate that. Cheers, Jack.

First give the Lan IP address to the same subnet as the pfSense, Turn off DHCP from the router, Connect cable From the LAN side of the wireless router to the pfsense interface. do not use the internet on the wireless router.

@chpalmer thanks... very helpful. Traffic seems to be going through pfSense now, it seems like there is also a firewall on the pbx itself that might be the source of my issues.

Honestly, it sounds like you are trying to get one router doing more than it should be being asked to do. Not really that it can't do it but there are two distinctly different purposes in play here. we own the building and provide guest wireless, but we have tenants, other companies. We don’t need their people seeing our LAN. However, we are an MSP, so at the same time we may have Labtech agents on their machines that need to talk to support.mycomp.com by that external. We also may have PC’s in for repair on the technet, that may be infected with viruses or anything else, but we still need access to our tools from the web. So yes, on the wifi I literally want it to go out the GuestWifi Net, out the external WAN that is set on and come right back in through the firewall as if it was a completely segregated network with its own firewall but without me stuffing anymore stuff in my racks. The router is not going to send something out to the internet when it is destined for an address on the router itself. Maybe with policy routing. But it really sounds like things might make more sense if you had a Guest/ISP/Tenant firewall and an MSP/Development/Testing firewall. All gets infinitely easier with a proper routed subnet you can use on an inside interface instead of this 1:1 + NAT reflection stuff. To expand on your specific example (thank you for that) when you enable NAT reflection the NAT happens when the connection enters the GUESTWIFI interface. Then the firewall rules on that incoming interface are processed. When you connect from 172.16.2.16 to 123.234.111.226, the first thing that happens is the NAT reflection. Now you are dealing with a connection from 172.16.2.16 to 10.50.0.22 as far as the firewall rules are concerned. You are passing traffic on the GUESTWIFI interface to ! ip_TrustedNetworks Does that traffic match the post-NAT destination? I am guessing not as I am assuming 10.50.0.0/24 is included in the ip_TrustedNetworks alias. (Blocking traffic using a pass to ! rule is another issue for another day. My advice is to BLOCK/REJECT to ip_TrustedNetworks then PASS to any) So, on GUESTWIFI, you probably want to specifically pass the connections to the REAL IP ADDRESS of the destination host, 10.50.0.22 in this case (limiting to specific ports, etc ok here to, such as destination TCP 25, 587, 465, 110, 143, 993, and 995 for your typical, non-microsoft mail server.)

that has something to do in your software.. has zero to do in pfsense. Can not talk from rfc1918 to public internet... Its no possible.. Why would you have configured manual outbound? Sounds like something in your software like in ftp when you do a passive or active connection for the data side where the server or the client tells the other how to connect for the data channel. The server or client ftp software has to be configured correctly with the public IP address and not the devices actual rfc1918 address.

interesting, but after the upgrade I didn't see any arp entries on the WAN with arp proxy, I couldn't even ping the upstream gateway. Here is from your link: If a particular configuration does not work with IP alias or Proxy ARP type VIPs, try with a CARP VIP instead, or vice versa. Address or wait out the potential ARP concerns before declaring one particular type a failure, and always be on the lookout for IP conflicts. I didn't see any IP conflicts, but maybe the ARP table became corrupted.

https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

@truetype I'm wandering on by here but if you simply redirect port publicip:80 to privateip:443 using NAT that doesn't do a redirect, that would cause an error since the web browser and web server are using two different forms of communication. Let the connection to 80 work and have the web server redirect to https:// so the browser knows to talk https.

If it is only that one FQDN, just set port 80 on the outside of the port forward and 8000 on the inside. [image: 1527631920342-screen-shot-2018-05-29-at-3.11.32-pm-resized.png]

Thank you for the link. Seems that I had forgotten to set "Enable automatic outbound NAT for Reflection". After setting this, servers were able to communicate with nodes on the same VLAN

So I got the Managed Switch and now I have several VLANs: VL10_MGMT VL20_SEC - this is were main clients will connect (mostly via WIFI) and it'll use a VPN_WAN gateway. VL30_CLR - sort of a DMZ where I connected all LAN devices (Freenas and its jails, Receiver, TV, AppleTV, etc) VL40_GUEST - WIFI network only for... guests VL50_IOT - where I'll connect several IoT devices via WIFI (smart lamps, dimmers, climate, etc) Makes sense?

Why you need manual NAT? You can just select the desired gateway in each lan rules! It's under advanced when editing a rule.

it works! Thanks anyway.

Yes, you can setup a LAGG between the firewall and client directly. Or between two firewalls for that matter. Steve

Hi, Further informations to this phenomene: The PFSense runs virtualized on XEN Hosts. After a live-migration of the VM while packets are dropped, everythings works again. We have another PFSense in a completely different setup with similar problems concerning 1:1 natted Systems running on VMWare ESX. On ths system my colleague implemented a cronjob which regularly resaves the WAN-Interface to prevent this phenomene ;-/ Cheers       Ulli

Ok thanks

Like this: [image: pfSense-Layer-3-Switch.png] [image: pfSense-Layer-3-Switch.png_thumb]

Oh no Derelict I can see a feature request coming to add the magic "unfrack this fracked network design" checkbox. You think we could get that setup for say 2.6? ;) heheheheh