S'il y a un site distant, il faut aussi décrire les adressages et le VPN inter-sites (sait-il faire communiquer tous les réseaux ?). Pour un site seul, normalement les réseaux internes (Lan, Wifi, Serveurs) ont un adressage privé et le firewall comme gateway, normalement un pc en vpn (accès distant) a une adresse privée et le firewall comme gateway, il n'y a donc pas lieu de faire un quelconque NAT pour atteindre toutes machines ... si il y a les règles correspondantes deans Firewall > Rules > onglet (Interface)

@Antibiotic All of the PiHoles are on VLAN42. PiHole services VLANS 2,42,100 and 129.

I'll query the ISP on what are they doing there. Doubt they'll talk... but that is a different story. Just as a quick follow up: If you pay for your own public IP to get forwarded to you, they should have no trouble setting their UBNT POP the way you want. Otherwise what's the gain in paying for something you can't successfully use all the way you want? ;)

Hey, ich habs jetzt hinbekommen, also nicht selber :/. Mein Freund hat mir geholfen und es geht jetzt. Vielen dank für die ganze Hilfe. LG Mathias

I'm having the same issue with pfBlocker and NAT rules. I have no issues adding white-list rules for my devices that are on a directly routed subnet. But trying to figure out how to handle an allow rule for an existing NAT rule is causing issues. Have you found any solution yourself as of yet?

Found a manual (meaning outside of standard config / package) and hacky workaround, would love to hear of any improvement over that :) Create a user in pfsense's User Manager, enable SSH access for that user with a password-less SSH key login (I'm aware it's risky, extra precautions below). Create a script in the home user dir, show_wan_ip.sh, containing: #!/bin/sh ifconfig mvneta0.4090 | sed -n '/.inet /{s///;s/ .*//;p;}' Edit ~user/.ssh/authorized_keys and add the following before the key: command="/home/user/show_wan_ip.sh",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty This can be executed from the (less trusted) PC that connects to it over LAN: ssh user@10.100.1.1 "/home/user/show_wan_ip.sh" 192.168.1.10

This got me today. I can confirm the floating rule for ICMP solves the issue.

You are 100% correct sir! That was the problem indeed, thanks for pointing that out!

@silviowmelo o RDP para acessar interno, vc vai usar o IP da maquina e porta padrão.

Great! Thanks, @Rico Now its works for me

I take it these .2 are vips you have setup. What is the source of this traffic? Is it rfc1918 in your network - or public being forwarded to pfsense rfc1918 wan IP? Why do you think you want to do this? What do think it will accomplish exactly? But sure you could outbound nat into your lan from your lan vip.

@stephenw10 I have rechecked my NAT rules and it appears it was natting on the Vlan, which was causing a double NAT, which was why it was showing PFsense's Interface address! Thanks for the help anyhow

Diese Option ist gesetzt? System > Routing > Gateways > Edit Gateway > Display Advanced > Use non-local gateway -Rico

@Derelict I think i got it to work. After i set the default gateway manually to the VPN and not automatic and saw that it worked, i transfered the Flowing Rule i made for the outbound traffic to the Lan interface. With the new knowledge of your help and the help of viragomann i changed some tiny things in the firewall rule. After that i changed the default gateway back to automatic and know the outbound traffic takes the vpn and everything works. I even rebootet the firewall to get lost of the states but everything still functions as it seems. Thank you so very much for your dedication and your help.

@paul-heidenreich-0 Outbound NAT doesn't work with policy-based IPSec tunnels. You have to do the NAT inside IPSec. It should work with VTI IPSec, however. If you have already a phase 2 to for the NAT-IP or subnet at the remote side, an additional is not needed in most cases. You have always have to add the remote networdk to the "local networks", no matter if you use BINAT or outbound NAT. That's correct. But you didn't mention, that you have already done this.