@sammartin8935 said in I am using pfSense firewall, but...:

to protect you from viruses and other security threats, in the end you will still need a good antivirus and VPN

Needs a VPN why exactly? Sorry but your typical user does not need a vpn..

For whatever funky reason, a reboot fixed this issue. Looks like the allow any any rules were not being loaded correctly.

I stand corrected!😊

~Mat

yeah you should have primate domain setup as well, but you also wan to set your networks as lan as above in my pic.

I would not suggest you disaable rebind protection, but setting specific domain as private is easy
https://www.netgate.com/docs/pfsense/dns/dns-rebinding-protections.html

0_1533545709554_plexdirect.png

0_1533546699532_direct.png

You are probably going to have to post exactly what you want to do.

https://www.netgate.com/docs/pfsense/nat/forwarding-ports-with-pfsense.html

https://www.netgate.com/docs/pfsense/nat/port-forward-troubleshooting.html

You do not need to disable any outbound NAT. If the traffic from the mail server leaves WAN2 (or whatever your failover WAN is called), it will not hit NAT rules on WAN, only NAT rules on WAN2.

Hello Derelict,

It is working fine now. I configured some new servers and it works charm.

If it were me I would want to figure out why. The server either pushes redirect-gateway def1 or it doesn't. The client either accepts and acts on it or it doesn't.

The need to use manual push routes has all but been deprecated by the Local Networks setting in the server config itself.

I would take a good, long look at all of the new options that have been added to the GUI config and transition to GUI widgets any custom options that are now implemented as GUI widgets.

@viragomann I understand. Thanks.

I don´t want to make a transparent bridge and won´t use the same network on both sides. So I try to add some static routes on both sides and disable the NAT functionality.

Outbound NAT does not route traffic.

It only determines what NAT happens to traffic flowing out that interface when it is already routed that way.

@jusschwa said in Can I hide/masquerade incoming IP?:

So here is what my routing table looks like on the client:

default gateway is to 10.10.10.82 over eth1 (data interface) 192.168.123.0/24 is over eth0 (management interface) 10.10.10.0/24 is over eth1 (data interface)

What is this client?

If that is its routing table and it is routing any traffic destined for 192.168.123.254 to 10.10.10.82 it is wrong.

Unless there is policy routing or something present outside the routing table you provided there routing that way.

@johnpoz I am supporting a legacy system that custom accesses the files in code to bring down documents. The old language used does not support anything but ftp. I am rewriting it and will look at other solutions. For now, 24 remote office locations and 40 desktops, can't fool around.

I use vsftp. Other FTP server programs will have settings that need to change just like this, you need to find them and set them on the FTP server config.

I fixed it like this:
On a Ubuntu linux server running vsftp
To enable passive mode, set the following configuration options in your vsftp.conf:

pasv_enable=YES
pasv_min_port=30000
pasv_max_port=30099 (Any port range you want to try)
pasv_address=(Fixed Internet facing IP address)

Then open these ports in pfsense to the server under the NAT menu
Port forward 21 to the ftp server
port forward the same range from the settings above to the ftp server
30000 to 30099

@derelict ta, i will have another play. Although i didnt make any changes in the 4G router last time i had it working, although last time it was an Asus router with 4G dongle in. This time its Teltonika 4G router, so things could well be different.

thanks again

Downstream router. 192.168.2.0/24 is behind that.

Screenshots.

@jimp That was it. Had to allow the traffic through the firewall. Thanks for the help, I think this will get me what I need for now.

@derelict said in Configuration of NAT Reflection to access external domain not working:

And the WebGUI http to https redirect is disabled? Port forwards coming into WAN override that but not for NAT-reflected connections.

Split DNS is a more elegant solution to this problem.

If this is what you're talking about, then no. I can change it. Let me know. I don't know that it'll have an impact since I'm only listening on 80 when I'm attempting to renew Let's Encrypt certs.
0_1532552291049_redirect.png

Did you see my second post about my Split DNS configuration? TTS for Google Home doesn't work when it is configured that way.

You can use forwarder mode in unbound as well, they don't have to switch over to forwarder.. I would say that would make sense if he was going to be forwarding to multiple pubic dns since it can query them all at the same time and use the first one to respond. But if he is just going to forward to pihole, then can just use resolver. But he then needs to point his pi-hole to something on the outside.