having problems with port forwarding and nat and vpn

  • hi about a month ago i was struggling big time with vpn and my modem etc double nating
    i found my modem to be a problem even though it was in Bridge mode it was still double natting
    i got a dsl modem more then 10 yrs old no webserver on it nothing just a modem and you need to PPPOE to it..

    now what i trying to do is
    get Xbox and PS4 to work in Open Nat..
    allow other computers on network to be on the VPN or not
    plus i have a unraid server running a Windows 2016 server in VM mode to host some websites

    now if do i clean install of pfsense and set the NAT to manual and i set the xbox up for upnp and such i can get a Xbox Open Nat

    now when i setup my VPN i loose it.. even though in the DNS Resolver i set it outgoing to all.. and i set the Xbox Rule at the top of the rules so it reads before the vpn rules.. so i figure it should go directly to WAN
    but its not

    and i did Port Forwarding i set it to port 80 i set the IP of the windows server 2016 IP address in VM and i setup Dynamic DNS for the webaddress.. but its not forwarding to the computer i get page cant be found..

    so im not truly sure how to fix all these options.. so hopefully someone can tell me..
    i can display pics whatever you guys need.. i just playing around turning on and off thigns

    i did notice if i set Static Route under system/routing if i set it to the Xbox i actually lost Webgui it somehow locked me out of the gui and i thought you not able to.. reboots of computer and pfsense didn't work.. had to factory reset.. or restory to a previous setup... as i figure static route would force all internet traffic for that specific IP to the certain wan connection you wanted.. but i thinking that was just bad luck on that one

  • here some pics
    2_1534376735421_pf3.JPG 1_1534376735421_pf2.JPG 0_1534376735421_pf1.JPG

  • @comet424 The interface firewall rules (e.g. LAN and WAN) execute on a "first match" basis, so as configured they're not going to achieve what you want. For LAN, you'd want the following top-to-bottom order:

    • Anti-Lockout Rule
    • xbox bypass VPN rule
    • LAN net to any rule that sets the gateway to your VPN

    That assumes that you want all traffic to be routed through the VPN by default.

    I think your WAN firewall rules are okay, although I don't know what assigning a gateway on a WAN firewall rule is going to do . . . maybe nothing, but I don't think it can do anything useful. Do you have a corresponding port forward of port 80 to You need both a port forward and the WAN rule that you already have.

    What is I'm really not familiar with PPPoE but that rule strikes me as odd. I assume it's an IP associated with the DSL modem? If so, it's probably not ideal for your pfSense LAN net and the DSL modem to both be in

  • ok ill move the rules around.. i really just guessing as im used to Asus or Dlink router set the Port Forward and things work

    not sure what you mean "that assumes that you want all traffic not explicity excluded from the vpn…"

    and under wan i figured to try to see if Wan would send port 80 traffic to the webserver.. as i mentioned on my old dlinks id say Port forward 80 webserver ip and that was it boom done
    under port forward i have it but ill send a pic

    as for the its my xbox one ip address if you see to the right on the pics the description i wrote xbox or xbox bypass that's where i trying to force Xbox to directly goto WAN interface and not through the vpn.. cuz i think its going through the vpn but then if i can get the xbox at ip 49 to to work then id be able to turn certain computers on or off from the vpn as i don't need every computer but a group...
    as for PPPOE how that works is i don't get a DHCP on the WAN interface... i set WAN interface in pfsense to PPPOE then i give a login nand password and it gets the Internet IP address instead of the modem giving me the IP address and then Interface of WAN being with the PPOE the PFsense web interface gets a ip as example

    that's wehre i was having soo much trouble with that vpn stuff in past double nating and found a modem from Value Village that worked has no web interface no dhcp no nothing so that solved the vpn problem i was having and Xbox would go into Open nat.. but as soon as i got the vpn setup now i cant do both..
    fix one problem get another.. but its a learning experience but ya my other modem Bell says is the latest and they don't have other options but i found this old one in a value village and that fixed the major issues\

  • ok so here is the port forward page hope i did right
    and i slide the rules around is that correct 1_1534380068450_pf5.JPG 0_1534380068450_pf4.JPG

  • @comet424 Alright, this looks better. Your WAN rule for the xbox (with source of is unnecessary though and you can remove it. Your LAN rules look better, although the way they are now, nothing will be routed through the VPN. Traffic from your xbox will match the "xbox bypass vpn" rule and should successively bypass the VPN, but all other traffic will match the rule right under that one, and also bypass the VPN. If you want everything except your xbox to go through the VPN, just remove the rule directly below your "xbox bypass vpn" rule.

    Your port forward and corresponding WAN rule look good to me (actually it looks like pfSense added the WAN rule automatically when you added the port forward, which is exactly what should have happened). Can you get to port 80 on that machine from your LAN? There's nothing I see here that would be standing in the way, so I'd be inclined to move suspicion to the machine that's running the web server.

  • ah ok ill give it a try i removed couple things i seen the data going to xbox and websites going to the vpn but xbox is down least it popped up problem there side so i not sure if its working or not ill try it tommorw

    as for the webserver..
    im using Unraid server and trhem a virtual machine to run windows server 2016 and i just changed it to a Static IP of and i changed the rules in pfsense… but i notice nothing sending and receing to the webserver.. and i noticed going to test server name it goes to the pfsense router page instead

    so instead of www.example.com going to the webserver is going to the pfsense login page

  • oh forgot
    i can access the webserver if i type in on my local network.
    but if i type www.example.com i get the pfsense page. and i do have a dynamic dns setup that gives me name to my ipaddress

  • @comet424 What happens if you open a command prompt and type:
    nslookup www.example.com
    Of course, replacing www.example.com with your hostname.

    Also, what happens if you attempt to browse to your raw WAN IP instead of your hostname?

  • so the nslookup example.com i get
    Server: pfSense.localdomain

    Non-authoritative answer:
    Name: myexampe site
    Address: and my internet ip

    typing in my wan ip i get the pfsense warning page
    This site is not secure

    This might mean that someone’s trying to fool you or steal any info you send to the server. You should close this site immediately.

    then you click details and goto the webpage and pfsense page loads up..
    i realize port 80 is for the pfsense page

    and i remember for my dlink router 8080 was for the router page from internet but i guess 80 for local or so
    but its like pfsense doesn't know is it for the webserver or is it for the pfsense admin page takes the pfsense

    least that's what i thinking its doing

  • @comet424 I see it, sorry I should have seen it before. Get rid of the "mapping" for

  • which one location? i did rename it to that way it wasnt run by dhcp

    oh and on the xbox it doesnt work.. it gets internet i see the megabits send and receive in the LAN section on pfsense
    but the double nat is there and i get this other error
    Can not get a Teredo IP Address
    i quitting for the night but will tackle it tommorow
    solve one problem another arises... lol

  • @comet424 I've never had an xbox, but apparently they are rather picky about their network environment. Here are two fairly recent (2017) guides I found that may be helpful:

  • ya i have followed both of those ways before and just did it again

    if i do a clean install of pfsense.. and do either of those instructions Xbox Opens

    when i setup the VPN.. it sees i have internet.. but then i get the Teredo IP address so xbox doesn't function anymore.. so i must be missing a step

    this is the tutorial i followed for the vpn

    so maybe one of them settings is buggering up the thing
    i redid the setup and here some pics
    3_1534435489705_p4.JPG 2_1534435489705_p3.JPG 1_1534435489705_p2.JPG 0_1534435489704_p1.JPG

    so i stumped works fine before i setup the vpn but i set the vpn below the xbox bypass so it should work must be a setting just a check box that needs checking i bet

  • here is the UpnP settings i set too
    1_1534436064131_p6.JPG 0_1534436064131_p5.JPG

  • also experiencing from xbox high packet loss %22 packet loss
    and I finding computer slow and wasn't sending pics

    so frustrating it should be working

    and I disabled the upnp cuz the one article said it conflicts but still not working

  • so not having any luck
    if I reset pfsense and do 2 different ways xbox opens
    if I install vpn it fails.. I found a article on reddit I tried but didn't work for me

    below is rules I just playing with I tried going xbox ip to Wan address Wan Net didn't work, if I did destinate * or the any it showed packets going as you see but it also was sending at the vpn… its not working just sending directly to the WAN interface I so frustrated
    I do reboots of the pfsense and xbox nothing helps


  • @comet424 I don't have a theory as to why just adding the VPN client connection breaks the xbox, since your firewall rule is excluding the xbox from going through the VPN. One thing would at least be easy to try is to have a LAN firewall rule that directs all traffic whose source is NOT the xbox through the VPN. That way you don't have a firewall rule explicitly matching traffic from the xbox. However, I can't think of any way in which having a firewall rule matching traffic from the xbox would in any way cause problems. But if you want to try that, just disable all but the bottom two LAN firewall rules from your most recent screen shot. Enable the bottom "Default allow LAN to any" rule, and then edit the "NordVPN Canada LAN" rule above so that the Source is set to with the "Invert match" box checked (i.e. the source is anything EXCEPT I don't have high hopes for this, but I don't have any other ideas at the moment either.

  • ah ok ill give it a try.. as you see the first line for the xbox gets data as when i fresh its getting packets. but at the same time the vpn is getting data too.. would any of the status logs help
    its frustrating as the article on Reddit guy got it to work but when i tried didnt work so i emailed on there hoping he gets it... it has to be a check box a glitch or something
    if i ever figure it out there needs to be a sticky so it shows anyone solved this issue
    only other idea was if i had 3 nics 1 for WAN 1 VPN LAN and 1 for NonVPN Lan if that would work or possibly have same issue.. and i cant do this VLan i tried as u need a switch that can handle Vlans so that sucked..

    and i still havent solved the webserver behind the firewall either.. but i havent tried a clean install of pfsense no vpn and try port forwarding..
    so who knows thanks so far for trying to help

    guess you dont have a PS3 or PS4 as same issues with it

  • @comet424 It's expected that you would see both firewall rules (the one for your xbox and the one for your VPN) getting traffic. And the fact that the xbox rule is getting traffic would seem to indicate that it's working. So I don't know why it's not.

    For your web server, did you delete the outbound NAT rule, the one with the source of I think if you get rid of that, if should work.

    I don't have a gaming console myself. A family member has a PS3 that's on a home network I administer, also running pfSense with active VPN client tunnels. As far as I know they haven't had any issues and I didn't need to do any special configuration for the PS3 (in fact, it's not even excluded from the VPN, it's running through it I believe). So maybe the PS3 just doesn't have the same strict network requirements as the xbox?

    I found this forum post, which may be useful:

  • ah ok i figured if the xbox data is sending to the bypass vpn and the vpn that would be the double nat issue.. i figured it supposed to just goto the bypass vpn rule and not even touch the vpn rule.
    because you want traffic only on the bypass not both as that would cause the double nat would it not.. its sending data to both rules

    as for the webserver i gave up on it at the moment i changed it to a static ip of i played with wan rule and nat i if i use web broswer and type ins it works fine well least to the one website thats setup as i wanna run 5 different websites on my windows 2016 server..
    but if i type in say www.example.com www.example2.com www.example3.com it keeps just hitting the pfsense router page

    as for the xbox or ps3 ps 4 they will work in double nat.. but if you want to have voice for mulitple player so talk on the microphone and couple other things then both PS3 4 and Xbox 360 One have to be in Open Nat mode to function and ill check out the link shortly i appreciate the help..
    its too bad there are no visuals like you could see like in movies you can see oh the files are hitting the firewall oh it stopped there thats the problem.. too bad in real life we cant see well the data is moving fgrom the xbox now it stops at this spot oh this be the reason fix that and boom goes through etc lol

  • and when the VPN is off Xbox is Nat is Open. when its On it goes double nat.. so i wonder
    can you block the XBoxs IP on the VPN? but not block it on the rest of the network

    as i playing around this block and reject i seen under the rules but not sure if thats all you have to do

  • when i play with the block i have in pic below i get packet loss's but i keep trying
    im just trial and erroring things now
    as i figure i want to Only allow xbox to access WAN but block access to VPN0_1534549377187_pp.JPG

  • I think i solved it .. from what you were saying and the helping and the how the rules go
    and then you mentioned thats normal goes to wan and also the vpn that got me thinking i need to block it
    it seems to be working i have VPN for my computer and bypass for the xbox and its open.. ill test more tommorow and get back to you but this is what i did seems to do the trick

Log in to reply