@mcury thank you, that fixed it

@twg

Where are you trying to ftp from?? Where is the client?

So this server is on say 192.168.0.100 behind pfsense.. And you out on the internet want to ftp to it..

So you forwarded 21 to your ProFTPD Server (ProFTPD) [192.168.0.122] on pfsense.. Did you forward the passive ports? You setup in proftpd to use?

Did you setup proftpd to send your correct public IP?

I connected to the IP you use to connect to the forums so I could see if ftp even answered.

For passive to work, you also have to forward the ports the server will use for its passive ports.. I can not get logged into see what it sends, If you PM me an account that would work I could see what its sending for the port, or try active where it would connect to my client.

Is your server a plesk?

https://www.plesk.com/kb/support/how-to-configure-the-passive-ports-range-for-proftpd-on-a-plesk-server-behind-a-firewall/

It defaults to a really large passive range 49152-65535 , I would for sure change that to something more like 100 ports or even just 10 if you don't have lots of clients at the same time.. Then you need to forward those ports on pfsense to I assume 192.168.0.122, without the passive ports being forwarded then no the data channel will never work when the client uses passive mode. Even if you told the client to use the IP you connected to when the server sends rfc1918 IP.

@VincentEmmanuel
The outbound NAT should not be required here. All traffic will be controlled by routes if pfSense is the default gateway in both networks.

With the static route, when the DMZ server sends a packet to 172.16.1.3, it is routed to pfSense, since that's the default gateway. pfSense forwards it to the CATO due to the static route and the CATO forward it to the destination host, since it knows the route to it (however, your graphic is missing 172.16.1.3, so I don't know, how this is set up).

Presupposed the CATO is the default gateway on 172.16.1.3, the response packet will be routed to it, and there it is forwarded to pfSense, since this is the default gateway on the CATO, as you said. pfSense has an existing state for the packet and will forward it to the DMZ server.

@pedreter it is routed through pfsense is it not?

If I look up in the internet routing.. for the IP on this server it ends up on the pfsense wan IP does it not? If the network is routed at the isp and you bridge this network to the servers.. I do not think the redirection via a port forward would work..

@depam said in Utilizing single tunnel to be routed to different gateway:

Anyway, the latency between Site B and C is quite high hence I want to route it via Site A which is faster since its already in the hosted in AWS cloud.

I don't get it. If there is high latency from B to C I'd assume, it's either on the B's upstream connection or on C's. So if you go from C > A > B > internet, I'd expect that you have at least the same high latency, since the problematic path is inevitably part of this new path.

Preferrably, go to Site A but can have the slower connection as backup via Gateway Group. I have tunnels across all sites A, B and C configured with /30 (Peer to Peer TLS) approach similar to the depracated Shared key. In addition, Site B have openvpn client connecting to an external site.

The problem you're facing with this is, if set the routes in the VPN connections with the "Remote Networks" and both VPNs are connected (A <=> B / A <=> C and B <=> C) you would have two routes between B and C. I don't know, which one is taken in this case. I guess, that one which is established at last, but not sure.
So I cannot say, that this will work as intended.

However, it should work if you desable B <=> C though.

How did you configure the gateway groups?

@viragomann That Worked!

Thanks a lot ✌

Also make sure you are not blocking multicast traffic if you are UPNP will not work.

@viragomann Thanks, I'll check the link.

@johnpoz
i already enable the non-local gateway still the gateway is offline 100% Packetloss.

@johnpoz

Yep!

I've got a headache!! But I am understanding a LOT more.

Again, thank-you!! You sir are awesome!

John

@asiawatcher
Just obey my suggestions and it should work.

@kiokoman sorry outbound rules are for all the lan yes so nas itself also

this fixed my issue for anyone else finding there way to this same issue alt text
https://www.reddit.com/r/PleX/comments/77b151/can_access_server_via_browser_but_not_apps/

@AkkerKid-0
pfSense applies only one single filter rule on incoming packets. But there is a strict order and the first which matches gets applied.
See Rule Processing Order for details.

hi @johnpoz so i ended up rebooting and started to work, very odd cant seem to find out the issue

@dmayle Self-replying here.

It looks like I should be using a VIP (Virtual IP Address) of type "Other":

Other type VIPs define additional IP addresses for use when ARP replies for the IP address are not required. The only function of adding an Other type VIP is making that address available in the NAT configuration drop-down selectors. This is convenient when the firewall has a public IP block routed to its WAN IP address, IP Alias, or a CARP VIP.

@SteveITS Correct, but this is in relation to NAT reflection, so the IP is being accessed externally.

I just didn't understand this setting until now. All it's doing is NATing the source IP to the routers IP on that interface, this way if the client tries to connect to the web server's public IP, but the web server is on the same subnet as the client, the web server itself sees the connection coming from the routers default gateway IP, this way it responds back to the router instead of trying to direct connect to the client (since they're on the same layer 2), so that the NAT reflection can NAT things back like it should.

I was trying to figure out why NOT having this setting enabled under Advanced > Firewall & NAT was still working, but that was simply because the NATing of the source was not necessary since the web server is on it's own subnet, so the web server is going to reply to the default gateway on it's subnet regardless.

As for split DNS that is exactly what I would normally do, but this is a bit more complex of an environment, but NAT reflection works perfectly in the meantime, I was just trying to be sure I fully understood the settings I was looking at.

All makes sense now though! Appreciate the replies here.