Hi!

Found the solution finally. Reset my firewall just to be sure.
Found out the issue was due to default gatway was not set correctly on my client machine.

Basically did this:
route add default gw 10.0.1.1 eth1

Now it seems to work!

No idea man. Sounds like you're sort of marching to your own drummer..

For about a year was trying to figure this out. A whole slew of port alias', Nat rules and a bunch of reboots and retrys.  In the end it was 2 of the three you indicated, but the kicker was NAT:Outbound which you mentioned and got more details from this thread

by boxsterguy
https://www.reddit.com/r/PFSENSE/comments/6cip47/xbox_nat_is_strict/

Thanks for starting point…

I deleted all crap i did in the past, including port alias and nat rules pointing to the the xboxone.

All i needed was the following on pfsense with Xbox totally shutdown

1.create a DHCP Static IP for Xbox
2.turn Upnp on with Default deny with one ACL allow 53-65535 172.16.x.x/32 53-65535
3.Firewall>Nat>Outbound>Hybrid
4.created a mapping: Interface WAN, source  Network/IP:32, Dest ANY, Under Translation ticked on Static Port and saved
5.turn on Xboxone

No rebooting of Pfsense or switches needed, which I read in other threads. No totally OPEN. Son is appreciative he can host a game.

@JKnott:

AC3200 is acting as my main gateway, and I want to use it as DHCP server for local and VPN clients.

VPN clients are generally assigned an address by OpenVPN.  Also, DHCP initially uses broadcasts, which are not normally routed.  This means when a VPN client issues a DHCP discover, it will not be passed to the DHCP server.  If you must use a DHCP server that's not on the local network, the usual practice is to use a relay agent.

Thanks. I've enabled it but there's no change.

I also removed routing from config. It now looks like this:

push "route-gateway x.x.x.1";

Just because the switches are layer 3.. Doesn't mean your using them as that.. If so pfsense would be on a transit network which you make no mention of..  And you state you have 5 interfaces running from pfsense to your switch..

My guess is you have SVIs setup on your different networks but not really doing routing on the switches?  And viragomann is prob correct you didn't setup a gateway on the switches.

So you have 2 options here.. Setup the gateway on the interface you want to hit when you come from the vpn by remote one of your pcs and accessing your switch from that pc..  Or just source nat your vpn connection so it is on whatever network your trying to access.

Or just leave it how it is and access the switches from one of your lan machines when your vpn'd in.

OK, i somehow got it working. I'm not 100% sure what the problem was eventually. The changes:

Only disabled UPnP/NAT-PnP on OPT1; so now it's only on LAN enabled and only the Nintendo Switch and the same port range allowed.
Removed the static outbound rule for client on OPT1; so now there is only the static outbound rule for the Nintendo Switch left.
Created a port forward NAT rule to redirect all DNS requests to pfSense resolver on the LAN (and the same for OpenDNS on OPT1).
Redid the VLANs on my managed switch

I'm 99.9% sure that I have the exact same VLAN config as before, but yeah, it also seems very unlikely that the problem was related to one of the other three settings, unless anyone has some other insights…

In your case Id either..

Get a second static IP address and use 1:1 NAT on each static to each LAN address..

Set up port forwarding in favor of 1:1 NAT and use another port for your mail service..    domain 4: webmail.example.com:88 -> 1.2.3.4 (A record) as an example..

Move the mail server service to the webserver which is what Ive done in a couple of cases.

If your running multiple pages on your webserver I assume your running something like Apache with virtual hosts enabled..

Glad you got it working.

(Gee, ISP router/modem problem. Who'da thunk it?)

Check out the Gaming forum and see if anything there can help you.

Ok that make a lot of sense! Thanks for teaching me something.

@n3mmr:

Costs 99 dollars to see.

Then you get the free version here: https://doc.pfsense.org/index.php/Outbound_NAT

Get an IP address allocation, a layer 3 switch, and give each of your tenants a /30 (or more) and let them worry about their own firewalls.

Kind of like a real ISP.

This is just what I was looking for…. (I think)
The reason I want to do something like this, is WAN failover to LTE...

We have a /26 IP range and host many services on site. The problem is LTE we one get a single IP and it is not even static. If we have to use the LTE we will have internet access but lose any hosted services.

I would like to get a /26 range of IPs in a cloud provider and the portforward these IPs to the local servers on site. Then these will be the permanent IPs for those services. If we have to use LTE or change ISPs we would not have to think about the IPs changing or DNS ttl or anything like that.... this will also bring our uptime closer to the cloud provider's.

Is this a good idea, or you think there is a smarter solution?
Would IPSec or OpenVPN be the better options for the site-2-site VPN connection?

Thanks

You pick your wan interface where that IP sits.. If its some sort of vip or something on the interface then when you do your export you can pick other and put in the VIP if not your wan interface ip, etc.

wizard.png
wizard.png_thumb

You have to bypass policy routing for internal network prior to the policy routing rule that matches.

https://doc.pfsense.org/index.php/Bypassing_Policy_Routing