Help needed for pfSense NAT settings (relay issue)

Hello everyone,
My clients relay, but can’t determine which one does and how to resolve.

1st Client: this is a VM, Windows, behind pfSense fw.
2nd Client:Another VM at another location, Windows, and behind another pfSense fw.
no double-NAT.

zerotier-cli info
says “online”, no clue of tunneling.

my.zerotier central
ip address is visible there, for both devices

zerotier-cli peers
each vm sees the other one as leaf, and as relay.
I cant really determine which one does.

I am not sure i did the correct nat settings in pfsense, actually got rather confused after reading too much.

Normally, I do is;
Firewall>NAT>Port Forward>add
Interface:WAN
Protocol: UDP
Source: Any
Destination WAN Adress
Destination Port Range: 9993-9993
Redirect Target IP: …lan ip of the device…
Redirect Target Port: 9993

But I have seen some posts saying that 1:1 or Outbound rule must be set. Can anyone please tell me the parameters for a working configuration. So that I will try to understand which one relays or why.

thanks in advance for your comments,

Hmmm - I have a number of machines behind pfSense firewalls without any additional configuration that show up as DIRECT connections rather than relays. Others are behind routers with UPnP enabled and I can see that they have properly configured dynamic NAT automatically.

The only thing I can think of is that your ISP is running CG-NAT so there is an additional layer of NAT that is invisible at your layer.

thanks @erik for the idea. I have been using it that way for long years. It just started a few days ago. So what you just said might be true, I will check if they decided to do use an LSN etc.
On the other hand I cannot determine which device is relaying. I am now for a way to test the ports.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.