You can use forwarder mode in unbound as well, they don't have to switch over to forwarder.. I would say that would make sense if he was going to be forwarding to multiple pubic dns since it can query them all at the same time and use the first one to respond. But if he is just going to forward to pihole, then can just use resolver. But he then needs to point his pi-hole to something on the outside.

We got this to work with 2 of these devices on the same property.. If I remember right we made them a static port entry in "outbound NAT"..

But I know I also made inbound firewall rules from the server they connect to, to the LAN address of the devices.

I Can't enter static routes to the Fritz.box for the othler netwoks that thing doesn't allow this.

Will it do multiple "Phase 2" networks or is that what you are saying it does not allow?

The other side will have to be able to do something so the pfSense side will know what network they are trying to make a connection to.

You cannot do IPsec NAT using Outbound NAT. The NAT goes in the IPsec Phase 2 definition.

To get outbound traffic from a server using 1:1 NAT, we use Manual Outbound NAT.

There will be a default mapping for "192.168.1.1/24" which is for any PC on the LAN, with its NAT address set to "WAN Address."

Above that one, add a row for 192.168.1.100/32 with a NAT address of the .42 public IP for this server. This will force outbound traffic, from that server only, to use the .42 address.

Glad to here it's working now.

They way you have it now you will have to connect to the web gui on https://wan.address:9443/ (If you have the proper firewall rules on WAN. I will not belabor the point that it is a bad idea to have that open from any address.)

That will be completely unrelated to any http traffic on any interface on port 80.

If your WAN rules pass traffic source address any source port any dest address 192.168.1.3 dest port 80 (which is the default for a port forward rule if you do not change the rule creation and linking selection at the bottom of the port forward definition), traffic to WAN Address:80 will be forwarded to 192.168.1.3:80.

If that is not working, you need to see why that web server is not answering.

As @johnpoz said, the checklist of things to look at is here:

https://www.netgate.com/docs/pfsense/nat/port-forward-troubleshooting.html

If your GM wants this stuff to work he should:

Get you something instead of some cockamamie double-NAT setup. Insist you use a VPN since it is the correct choice.

Else we will need to see the upstream configuration of the ISP router and probably the port forward that works and the one that doesn't.

PFSense didn't interfere any connection.

How do you know it's pfSense interfering and not something else that's still wrong?

sorry I don't get updates when people reply
but how it goes is dsl modem gets there ip address.. its also a dhcp server.. then goes directly to my pfsense that gets the ip address 192.168.2.1 and then I distribute internet in its own dhcp 192.168.0.x

I got it to work from that video but I now have issues trying to get OpenVPN to work for trying the trial NordVPN and my own remote access VPN as I posted 2 topics in the OpenVPN section

@johnpoz said in How to set proper NAT 1:1:

@sipriuspt said in How to set proper NAT 1:1:

this was made to be a plug&play for home networks

Then your kind of out of luck.. Other then putting the devices on the same layer 2.

You sure you can not just in the finder from your mac connect to afp://ipaddress of capsule?

I totally forgot that, after a sucessfull afp login, it would happear as new location to add in time machine.

0_1531497170508_Screenshot_13.jpg

Sorry for the offtopic!

By obtaining the range of ports that the FTP server actually requires for the passive transfers and only forwarding those.

What are your WAN rules? You don't have incoming video so that's more important to see than your LAN rules (that's outbound).

You don't use SIP calling, do you? Only IP based H.232 and what else exactly?

Have you seen this guide:
http://itadminguide.com/cisco-telepresence-firewall-ports-to-open/

and this foot note:
Important note: If the other party uses MXP series TelePresence, then the ports differ, for example RTP media ports for MXP series are UDP 46000-49000 and not 2326-2485. So you need to know about the other party equipment to open the required ports in the firewall.

BTW: which codec is used on the other side?

And the IP 85.129.117.125 isn't appearing in this log.

I wouldn't advise opening up SMB to the internet.

OK, sorry. I should probably be a bit more polite. After all you are an older guy. While I'm a young buck at 52! 😝

@Derelict hinted at it but I'll reinforce what he said and state it directly:

DO NOT PORT FORWARD TO A DVR

Unless you want someone on shodan watching your cameras for you, setup and use a VPN to reach your DVR and do not expose it directly to the Internet.

The security on those types of embedded systems is notoriously awful. The networking stacks are weak, and the UI is probably full of holes.