Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
You’re right, there is a problem with the firewall (pf sense) but I don’t know what because the configuration is ok. Port 80 is open from inside the DMZ Subnet (checked with telnet open IP:80 and http is working but not from public net) I will check it and come back. Thanks.
There was a bug in PfSense, the GUI shows a correct NAT setup but in the kernel filter only the dest nat rule was set, the correspondentin forwarding rule to port 80 was missing. After update pfsense to the last stable and re setup the rule, the dry-run was successful.
thanks jürgen for your hint and best regards,