Never set Outbound NAT from source any.

Set it to the inside networks that actually need NAT to happen.

I would suggest you start by enabling automatic mode and trying again unless you can state why you need manual outbound NAT.

@johnpoz

My configuration in:
System / Advanced / Firewall & NAT / Network Address Translation / NAT Reflection mode for port forwards
is set to "NAT + Proxy"
and when I set to "Pure NAT", I can list the ftp content from LAN

So, it seems a solution, as it works. But as I have set Squid Proxy, perhaps it's not a good idea to set "Pure NAT"?
Otherwise, can I create a rule which simulate the "Pure NAT" setup with "NAT + Proxy"?

@kom

The first link I glanced over before but I can now access the web server both on the WAN and LAN. I'm even able to ssh to it from LAN to OPT1. I don't remember if it was one of the videos you linked or some random third video but I didn't understand that request get sent out on a random port. So those source ports would have never worked. Sorry for not understanding that sooner.

Thank you for the references and your time.

@kom said in Forward Traffic from Virtual IP to target behind WAN:

OK. Now what about the captures? That's the only way to really see what's happening.

I went the easy route and ditched my previous attempts. I just created Port Forwarding Rules for the required hosts. Not elegant, but works for me.

Interface Protocol Source Address Source Ports Dest. Address Dest. Ports NAT IP NAT Ports LAN TCP/UDP * * 192.168.20.2 1 - 65535 192.168.1.2 1 - 65535 LAN TCP/UDP * * 192.168.20.1 1 - 65535 192.168.1.1 1 - 65535

Sorry for the delay (blame it on the holidays ☺ )

@johnpoz If we create 1:1 NAT then we have to create IPalias(VIP) for each public IP ryt?

@derelict Oh man... I knew it was something simple. I had done this once before and completely forgot about that "Don't Pull Routes" option. Thank you so much!

Thanks for your response. I have double check all the config and the problem was that this network do not have full internet connectivity. Only ICMP and DNS works. The solution turned out to be to disable hardware checksum offloads.

Now all works fine. We can close this case.

Okay thanks for that. I think I have the split DNS working okay and will find out tomorrow when I turn the NAT reflection off.

Why do you have a VIP on WAN in the same subnet as LAN?

You should not need any floating rules.

You do need rules on LAN that pass all of the traffic coming from the downstream router. It looks like you have that as all of RFC1918. That might or might not be a problem as you add VPN connections.

I would move them from floating to the LAN interface tab. It's much more straightforward.

that would be a 1:1 nat... And to be honest really never a good idea.. How many freaking ports could you ever need to see unsolicited traffic on? Normally this would only be done when the customer is behind your firewall and they run their own firewall, etc.

If this box is under your control - just forward the ports you need to it.

Sorry, but I've been studying documentation for a couple of days till now where Im really stuck :(

Outbound rules:
0_1545934794424_Zrzut ekranu 2018-12-27 o 19.17.03.png

Port forwarding:
0_1545934820873_Zrzut ekranu 2018-12-27 o 19.17.37.png

and connected Firewall rule:
0_1545934844145_Zrzut ekranu 2018-12-27 o 19.18.39.png

Firewall passes packets:
0_1545934893441_Zrzut ekranu 2018-12-27 o 18.26.39.png

but blocks connections back:
0_1545934947454_Zrzut ekranu 2018-12-27 o 18.17.22.png

and I dont know the reason because Im not filtering LAN to OPT1 connections:
0_1545935068766_Zrzut ekranu 2018-12-27 o 19.23.38.png

Nice. 😀

You'll want the isp's modem/ONT in bridge mode... not DMZ mode

Hard to say without logs of the failure but the most likely error there is that the end behiond NAT is using the "My IP" as it's local identifier but the other side expect to see the external public IP there so it fails.
If so change the Identifier to IP and set it to the public IP. Or chnage both ends to use non-IP identifiers.

Steve

So when pfsense forwards (or resolves) - ie asks your internal NS say vs a domain override in unbound for something and it gets back rfc1918 then that would be a rebind.

You can set this domain to be private, then when pfsense forwards to it, it will allow for rfc1918 to be returned. Or you could (not recommended) just turn off rebinding protection all together.

Here
https://www.netgate.com/docs/pfsense/dns/dns-rebinding-protections.html

There really should be no reason to have to nat reflect for this if your local NS return the rfc1918 address..

That is not showing..
0_1545403715812_inlinepic.png

Here I uploaded it for you..
0_1545403753524_uploadpic.png

Just attached your screenshots inline.. What are your LAN rules..

Where exactly is this 10.x network somewhere out the wan? What is the network on this wan this 10.x ?? Why not show the whole address its rfc1918 for gosh sake.

BTW what version of pfsense is that - it sure not current...