dig only resolves myip.opendns.com by using resolver1.opendns.com. And the associated IP is obviously 175.175.175.1.
If you want your web server 2 to use another external IP you have to set it up in the DNS and assign this IP to your WAN interface and configure 1:1 NAT. However, the 1:1 only effects outbound connections.

Jails don't have their own network adapters that could be identied in DHCP by MAC addresses, they are just chroot type environments that use the host's network stack for connectivity. To give a jail an IP address you usually set up an IP alias on the host's network adapter and then assign that IP address to the jail in the jail configuration.

If the ports are not on a different Layer 2 network, then broadcast traffic that is on your lan could be seen on your wan.  And vice versa.  Depending on what that isp device is doing it could be possible for internet traffic to have access to your lan since you in essence connect your lan to the wan (internet) bypassing the firewall.  Now hopefully the isp device is firewalling etc.  But if you for example setup a dmz host by accident on the isp router it could forward internet traffic into your lan bypassing your pfsense firewall.

Re-enable NAT?

You either require NAT for your network to function or you don't.

You are going to have to provide a lot more information as to the networks you are actually trying to route for anyone to help you.

Hello and thanks for the reply ,

Unfortunately it is a customer request. We explain to him that he cant use the private ip but for some reason that we dont know he want to use the public ip.

Fortunately for some reason after we reboot pfsense the nat reflection work perfect!

The filter rules are there to allow the traffic to enter pfSense and be forwarded to the destination address of the NAT. Without the filter rules all traffic that was supposed to be port forwarded would not be allowed at all.

This basic pattern does not change if you use PFBlockerNG or whatever creates the rules, the NAT rules set up the address rewriting (only!) and the filter rules control who can make connections from the outside to the forwarded port(s).

You probably want the FreeBSD docs for that.

Starting point: https://www.freebsd.org/cgi/man.cgi?query=sysctl&apropos=0&sektion=0&manpath=FreeBSD+11.0-RELEASE&arch=default&format=html

Why not just set the application to allow the IP from your remote site.

As to changing the a connection from 192.168.2 to look like its on the 192.168.217 this would be a source nat.

On the outbound nat just pick your interface this 217 network is connected to and config your requirements.

So I am currently vpn'd in to my home network using openvpn my client is 10.0.8.100.. (tunnel network)

So I create a outbound nat on the lan interface (192.168.9.0/24) that says source 10.0.8.0/24 with dest of 192.168.9.100 nat that to the address of pfsense lan interface 192.168.9.253..

So before I create that nat I rdp to box at 192.168.9.100, and you see from netstat on that box connection is from 10.0.8.100… I then create the outbound nat and when I rdp again to this 192.168.9.100 box it sees the connection as coming from 192.168.9.253

edit: Derelict beat me too it - but I added pretty pictures ;)

sourcenat.png
sourcenat.png_thumb

@nycfly:

I believe it should show as open once it's forwarded regardless of whether something is listening or not.

No how can something show as open if nothing is there to answer the syn?  If forward ports to something that is not listening it will show closed.  You can show yourself this by just forwarding something, and then turning that something off and leaving the forward.

So here forward to 80.. on my 192.168.9.100 box… I forward 80, but nothing listening - fail, I thin fire up hfs so its listening on 80 - success.  It then turn hfs off so not listening back to fail.. Even though the port forward is there.

Depending you might get an actual reject from your client saying hey nothing here on that port.. Or it might just drop it quietly depending on the OS your sending the traffic too and its configuration... You notice got a actual connection refused on my test, because one was sent..

See the sniff.. 2nd pic where 80 came in and sent back RST.. It is normally better to just quiet drop.. But this is windows machine and not sure where to set that - looking into it now ;)

edit:  Ok so now there is no RST sent (3rd pic), because I turned on the host firewall and 80 is not allowed, so the firewall prevents the RST from being sent.. But you can see my host got the packets, just not answered with RST since not listening..  be it you get a RST or not when sent to a non listening port would come down to what OS your sending to, if firewall etc. etc. OS settings.. But just the ack of opening a port on pfsense to something that is not listening on that port is not going to show it open that is for sure.  For it to show open it would have to get a syn,ack to its syn.

listen.png
listen.png_thumb
RST.png
RST.png_thumb
norst.png
norst.png_thumb

I did some manpage reading and debugging. The culprit was snort. Once I uninstalled snort, everything started to work just fine. So I guess I misconfigured that.

Yeah, well LACP might be a little non-home setup but it's my hobby toy :-)

Ah - Great point.. Did not think of that!!  That is great idea!

Just need to make sure the printer can talk back to the 10.20/16 network - or you would also need to source nat it to be on the printer segment.

I hope part of this project is to also use a more realistic network size - /16 is freaking HUGE!!

No one really?

Well yeah ;) heheheh

So your all sorted?  Any more questions?  Some applauds and thank you's don't hurt my feelings.  I have some dipshit smiting me everytime they log in ;)

Best regard

Viragomann managed to get out to the internet thank you very much, I needed to create the rules.

If your server on opt is using a vpn, then you would have to forward the traffic down through your vpn to get to the server.

As I understand it, he needs this:

Localnet: 10.10.0.0/27 (DMZ network)
NAT/BINAT: None
Remotenet: 10.11.0.0/16

That is working fine.

Then, in addition to that:

Localnet: 10.9.0.119/32 (A host on the local LAN network)
NAT/BINAT: 10.10.0.10/32 (An address from the DMZ subnet)
Remotenet: 10.11.0.0/16

So there are overlapping Phase 2 networks that need to be created. The other side sees CHILD_SAs created from both:

10.10.0.10/32 === 10.11.0.0/16
10.10.0.0/27  === 10.11.0.0/16

Both SAs must be created on the pfSense side or the traffic from 10.9.0.19/32 to 10.11.0.0/16 will never be interesting to IPsec.

I cannot see that ever working reliably.

general things:

Firewall rules on LAN1 interface don't allow it, but by default they do.

A local, "software" firewall on the LAN2 host itself does not permit traffic from other than its local subnet. If you can ping the LAN2 interface address on pfSense from LAN 1 but not a host on LAN2, check that.