@Djkáťo

The one and only question that answers your question while answering me : do you have a working Internet connection ?
If yes, then nearly all is fine, and you can stop looking, as you've already mentioned what your current situation is : its doesn't break your internet access if your WAN IP is a RFC1918.
But you can probably forget about NATting so you can make internal (on the pfSense LANs) devices accessible from the Internet, as you have no access to the ISP equipment to do so.

If your "TP-Link Archer VR300" is truly working as a modem, its just converting POTS VDL signals to "Ethernet" signals and it doesn't do routing , firewalling etc. Its not the "TP-Link Archer VR300" that has a WAN, and a DHCP server that gives you the "10.101.37.22" pfSense WAN IP : this "10.101.37.22" comes from way up, somewhere from the ISP.

Why they do so ? There is the classic $$$ rule : they have no more free routable IPs left as IPv4 free available stock has been sold out meany year ago, and what's left has a huge price tag. Its seen before ; you want a real routable IPv4 ? You $$$ or €€€.

I have noticed that the Unifi Controller software has become increasingly dependant on background links "phoning home". Last time I ran a local traffic audit I found packets from the controller to muliple mystery sites. After adding firewall rules to block the traffic, I found I could no longer adopt new devices.

Maybe check the current documentation for your controller version for required TCP and UDP ports.

cheers

@NickJH
This would require options to state external and internal ports and the proper rule association for each.
A bit complicated and it's not, what NAT 1:1 is meant for.

The sense of 1:1 is to map in external IP to an internal and also the other way round.
While port forwarding is meant to what it's name implies. And if you forward a port to an internal IP you usually also want to pass this certain traffic.

@rjcab said in Issue to manage pfsense from internet:

It accepts when I do from LAN but no from WAN whereas traffic seems come in :-)

And that's a pretty good default security setting.
But you've decided to admin this device also from 'the internet'.

I'm pretty sure the device has settings, so it's time to inform the device it should also accept connection from the Internet.
Exactly like "MS RDP".

@Gblenn Great suggestion! That is my plan. I originally spun up the Windows box because I was familiar with the ARK Server Manager software. However, I've been reading up on Pterodactyl and Wings, which can be run on a Debian platform. It looks interesting and has the added advantage of being able to host multiple self-hosted game servers.

Anybody?

@johnpoz I ditched that buggy interface in the first pfSense, even the whole vlan, and built a truly new one and it is working just fine. Sometimes pfSense can get messy. 😢

@kloy
You can do NAT 1:1 in IPSec to masquerade a whole subnet with another one. But this has to be done within the IPSec phase, and you will have to translate both sites to get bidirectional communication.
Other NAT rules on pfSense don't work with IPSec.

For instance, both have the same LAN, which should be able to connect to each other:
site 1: 172.16.0.0/24
site 2: 172.16.0.0/24

So you configure the phase 2:
site 1:
local: 172.16.0.0/24
NAT/BINAT translation: 172.16.1.0/24
remote: 172.16.2.0/24

site 2:
local: 172.16.0.0/24
NAT/BINAT translation: 172.16.2.0/24
remote: 172.16.1.0/24

Then site 2 has to use 172.16.1.0/24 to access site 1, i.e. to access 172.16.0.10 on 1 from 2 use 172.16.1.10.
And site 1 has to use 172.16.2.0/24 to connect to 2.

You can also nat to a single IP by selecting address for the type at NAT/BINAT translation, but this works for outbound connections only. There would no possibility to access any IP from the remote site then.

Just wanted to let you all know that we've made a workaround, since it was urgent and could not easily be solved. Thanks for your help!

@Swami_ did you remove the conflicting ports forwards? (Try one at a time)

@viragomann that’s fixed it straight away thank you so much.

@SteveITS said in Block internet for one IP:

@pfsense57352 An add on to what John said: https://docs.netgate.com/pfsense/en/latest/troubleshooting/firewall.html#new-rules-are-not-applied

Thank you!

I've started my journey with pfsense yesterday, so i'm brand new with this router/firewall. But i already like it much better than mikrotik.

@johnpoz Well, it's not really about what I was thinking it would do, it's what actually happened...

I am able to get Open NAT on most games with a NAT and a FW rule in Sophos for port 3074 UDP. But there seems to be no way to make MW2 even get to Moderate NAT. Yet, with UPnP in between the game and Sophos, or pfsense in the past, it just works...

Now, if I could get this to work with the right rules, I could potentially turn off UPnP in pfsense (my main firewall) and feel a little bit more secure, right.
Why this even popped up was because I just managed to get a second IP from my ISP which made playing around with different firewalls and configs a lot more convenient. And most importantly I can do it without disturbing the peace at home...

Anyway, many, or most, games require you to open some ports in the router in order to be able to do certain things. Just playing a game on a public server may not be an issue, even when the game reports Strict NAT. The game, as does every application, will reach out using whatever port it is designed to use and find e.g. Deamonware servers to get the list of active servers to play on.

But if you want to host a game, to play with your friends, you have to have at least Moderate NAT. And Open NAT is desired since also those with Strict will be able to access your server then.

So for most or all other games that are being played in our home, it's as simple as looking up what ports to forward, and add the rules, and you typically get Open NAT.
Which is what I wrote in reference to opening port 3074 on Sophos, to get Open NAT on the other games, when behind the second router. And this works fine also when directly connected to Sophos.

For most games this is enough:
internet -- (wan) Nat rule Port 3074 Router 1 (lan) ---- (wan) Nat router 2 (UpnP) (lan) ---- PC

But the game in question is using ports in a strange way, and I can't figure out what's going on. Even if you open all the ports that are listed for that game, you still get Strict NAT. And if you ONLY use UPnP, all that shows up in pfsense Status page are Ports 28960 and 28961. So these have been requested as port forwards alhtough both show internal port 28960 (which is the port listed to be opened if playing on one PC).
Like I also mentioned, to get this to work in earlier versions of pfsense, before some updates in UPnP, you had to use Hybrid Outbound NAT and make sure to set Static Port in the Translation section. I'm thinking there is some clue here as to what is going on?

And when I now have placed a second router with UPnP in between, it is handling this "translation" in the way the game likes it. Whilst on the uplink side, is is "playing nice and pure" in terms of which port(s) it is using to reach the internet.

I think I need to do some pcap to see what is going on in the different scenarios.

@Mahadir Ok, well the fact that you use the machine for many other things does not exclude the possibility to replace the ISP router with pfsense. I am myself running pfsense on Proxmox and that same machine is running several other VM's.
The reason you may not want that is either that it is located too far away to make the physical connection to the WAN. Or that you do a lot of restarting of the Proxmox machine which would interrupt your internet connection for all... But typically you do not have to restart Proxmox at all, except when changing HW for example.

It's best if you can assign dedicated ports for pfsense WAN and LAN, and use any other ports on the Proxmox machine for the other VM's and the management interface. I'm guessing you have 3 or more ports in that machine?
And preferably you pass those two two ports thru (IOMMU) to pfsense, which means that Proxmox cannot see them or use them for anything, and pfsense has full ownership of them. If not, just make sure you only assign for example vmbr3 and 4 to pfsense and vmbr0, 1 and 2 can be used for other VM's, or however many ports you have.

When it comes to DMZ, that has to be done towards a specified target machine which means you want to give pfsense a fixed IP. In pfsense you keep the WAN interface config type as DHCP. And you decide for an IP and set that in the SFR router. If you disable and then enable the WAN interface, it will pick up the new address from the SFR router. But you can never get your public IP on the LAN side of their router unless it has Bridge Mode.
So once you see the correct IP in pfsense interface, you can go to the DMZ settings in the SFR router and apply that to the IP that pfsense has. Now all ports are opened towards pfsense and you should be able to access your exchange server from the internet, as long as you have done the port forwarding (Firewall > NAT) in pfsense.

@uberlousanis Yes, so far it's working with static IPs.

@hugoeyng
Obey @johnpoz suggestion and sniff the traffic using Diagnostic > Packet Capture on pfSense.

Select the INFIX interface and state 25001 at the port filter. Start the capture and then try to check the port with canyouseeme or alike from outside.

If there are no packets, something is wrong in front of pfSense.
If you see incoming packets, but no responses, go the internal interface, where the destination server is connected to.

@William-Bento-Rodrigues Forwarding port 53 would provide DNS, but the workstation would need to know to use that WAN IP…probably a domain override on the upstream router. But then AD DNS would respond with the DNS Server IP. Lots of monkeying around with that I’d think.

If you get it to work you’ll presumably need other ports too for instance SMB to pick up netlogon/group policy. Not sure exactly which are needed for the “join” part.

Setting up static routes to the server subnet without NAT seems easier…?