@Papa_Dragon
https://www.rfc-editor.org/rfc/rfc1918

FWIW I have also seen the occasional program that detects whether or not it's on a private IP range and changes its behavior accordingly. Or, private networks are allowed by default, public are not, etc.

@SteveITS Trying to use NAT to translate destination addresses. I have multiple connections over VPNs with colliding subnets that cannot change (and I have no control over those networks), and I need the addressing to be transparent. I want to be able to send traffic to 10.a.b.server on my side and translate it to the customersub.server as it goes out the ipsec tunnel.

OK, so it seems to be good news. Whatever is causing this bootup issue in 2.6 doesn't appear to be an issue in 2.7. There are other buggy behaviours (CARP, specifically seems to have some issues), but I would expect this as it's still in development.

My only concern now is when 2.7 is actually likely to release. It's been coming for a while now.....

@Robovic I am having the same issue

@Abelardo-A-M said in PFSENSE + IPSEC + NAT:

NAT+IPsec cannot be configured between two different sized subnets (e.g. It cannot NAT a /24 subnet to a /27 subnet).

That's true. I was expecting that the NAT subnet is used as a round robin IP pool. Maybe you want to try it out.
Otherwise you have to use a single address out of 172.19.0.0/24.

if I remove the pfSense IPs on the 172.19.0.0/24 network, how does the 172.19.0.50 server route the packets to the IPSEC networks?

If you use BINAT with a single address, maybe you can keep the subnet. Not sure.
Give it a try.

@viragomann thanks a lot it works!

@gertjan

Hello,
I was able to resolve the issue
The port traffic was OK as I was able to telnet to a website using port 80
The issue was related to Apache24 configured to localhost
I had to reimage another server and installed NGINX and set the config file details to WWW.
After doing this I am now able to connect to my serving using an external ISP.

Thank you everyone for your response!

@matt_sharpe NAT rules will automatically create a firewall rule for you unless you tell it not to when creating the rule. You should not need to add any rules on WAN unless you want your firewall to be accessible from the Internet.

I can't say I've tried forwarding all ports in a NAT rule though I don't know of a reason it won't work. I have used 1:1 NAT to do that though.

Ensure the firewall on the device on LAN allows connections from outside its local subnet.

Thank you. Now the connection works.
It was still missing the outbound NAT for Reflection.
I have to test the telephony now. ;-)

@mirak
So I would look if there is any setting needed to allow forwarding in the hypervisor.

@sirioinformatica
This is a sort of proxying and it forward certain requests to another server.

I suspect, it is forwarding the requests with the origin source IP and the destination server is responding directly to it. If you're unsure check this out with Diagnostic > Packet Capture.

If this is the case, pfSense will not pass the respond through, since it has no state for the responding server.

@deekayw0n I have not. Please feel free, or let me know if you'd like me to.

@viragomann Yes, both connections use the same path through the firewall. I can see the websites when I use the internal ip address of the respected WordPress container.

Yes, all LXC and VM are in the same subnet.

How can I tell in which mode the Nginx proxy manager is running? (I have installed the Nginx in a VM and it's running in a docker container.

@kubenaab This is your best bet but it doesn't work in 2.6

https://redmine.pfsense.org/issues/10818
https://github.com/marjohn56/udpbroadcastrelay

@tkolaski Vague guess, maybe something in the outbound NAT? 1:1 should define its own outbound NAT rules so you shouldn't need to set up anything in outbound NAT.

Could anything else on the WAN side of pfSense be using that IP?

@cyberconsultants said in block external requests via NAT — destination address "!LAN address" vs. "!This Firewall (self)":

the documentation guide says to use "!LAN address" as the destination address. any reason/s, for security or otherwise, to use or not to use "!This Firewall (self)" instead?

Not that I can think of for this purpose.

If you provide the DNS server by the pfSense DHCP it will use the interface IP with default settings. So basically no client might access any other pfSense IP, but it would be possible of course. I redirect all DNS and NTP requests on all my internal interfaces to my LAN address for instance.
But "This Firewall" should also fit for natting DNS.