• H.323 Video Conference Codec behind PFSense *Guide / Explanation*

    Pinned Locked
    3
    0 Votes
    3 Posts
    25k Views
    D
    Long story short, to use H.323 behind a pfsense firewall, one needs to enable static-port NAT. Unfortunately neither H.323 nor SIP were designed with NAT in mind, in which case one needs either an ALG (which btw is part of Linux's netfilter since many years, but apparently missing from baseline pf/FreeBSD) or a NAT device that won't rewrite ports (a solution that will work if you only have one such device). Edit: Note that SIP software has been improved in recent years, and most recent implementations can work through NAT without a need for ALG or static ports, but it's still something one has to keep in mind when troubleshooting SIP issues.
  • Port Forward Troubleshooting

    Pinned Locked
    1
    3 Votes
    1 Posts
    30k Views
    No one has replied
  • 0 Votes
    9 Posts
    194 Views
    johnpozJ
    @sho1sho1sho1 nothing in the resolver would or could do that.. You running pfblocker? Show the rule in your ruleset. There is this feed in pfblocker [image: 1755628936429-pfblocker.jpg] That sure doesn't even look like a NS ;; QUESTION SECTION: ;4.64.4.64.in-addr.arpa. IN PTR ;; ANSWER SECTION: 4.64.4.64.in-addr.arpa. 28800 IN PTR wnpgmb0273w-dr09-v924.mts.net. And it doesn't even answer dns, atleast not from me. That is a bell canada IP.. Is that who you use for ISP?
  • Setup UPnP->few quick questions? (solved)

    solved
    9
    1 Votes
    9 Posts
    274 Views
    4
    @johnpoz -Yep-that worked just fine Jonpoz. TYVM.
  • 2.8.0 NAT64 and Policy Routing

    1
    0 Votes
    1 Posts
    75 Views
    No one has replied
  • Cannot disable NAT on PFSense 2.7.2 CE

    nat cannot disable
    4
    0 Votes
    4 Posts
    166 Views
    patient0P
    @BlueSun ok, I'm generally out of my depth in regards to BGP. All I can say if you set a gateway in the interface settings (see screenshot) then pfSense creates NAT rules automatically, if outbound NAT is set to automatic or hybrid. [image: 1755188790365-screenshot-2025-08-14-at-18.25.56.png] But since you have disable outbound NAT I can't see your traffic being NAT-ted at all. Are you using the FRR packages and if yes did you have a look at pfSense Docu: BGP Example Configuraton for a start?
  • Why is there an automatic Outbound NAT for ::1/128

    4
    0 Votes
    4 Posts
    195 Views
    johnpozJ
    @IonutIT localhost is always going to be up to bind to.. but possible that my wan or say a vpn interface is not up when unbound restarts. If interface is not up can not bind to it.. So helps to make sure unbound starts and binds on interface to use to do outgoing queries.
  • Setting up Port Forwarding for Minecraft Server on pfSense

    9
    0 Votes
    9 Posts
    8k Views
    P
    Thanks for sharing the configuration details! I encountered a similar situation when opening ports for Minecraft on pfSense. In addition to the steps you did, you can try checking: Firewall Rule: Make sure the rules for WAN are applied correctly. NAT Reflection: Sometimes enabling NAT Reflection can help in internal testing. Check ISP: Some carriers block port 25565, you may need to change the port to test. pfSense Log: Check the log to determine if the request has reached the router. Does anyone in the community have any tips to help make the configuration more stable?
  • Port forwarding not working localy when i enable load balancing

    1
    0 Votes
    1 Posts
    79 Views
    No one has replied
  • Can't access port-forwarded/natted services from another local network

    5
    0 Votes
    5 Posts
    170 Views
    K
    @johnpoz I see, thanks for explaining and the help!
  • NAT broken after Reboot

    14
    0 Votes
    14 Posts
    831 Views
    P
    @iggybuddy6 I'm just happy I could help. Today I went from thinking I knew everything about setting up wg on pfSense, to realising I did not, and that is a great reward in itself! Hopefully your setup will remain stable going forward.
  • Odd outgoing issues behind pfsense router

    8
    0 Votes
    8 Posts
    336 Views
    V
    @ahole4sure Maybe the routing table brings dissociation. However, I'm not familiar with Tailscale. Don't know, what it does.
  • pfSense 2.8.0 - Routing stops intermittently after update from 2.7.2

    4
    0 Votes
    4 Posts
    412 Views
    A
    @Gertjan said in pfSense 2.8.0 - Routing stops intermittently after update from 2.7.2: [...]matches your usage case ? You have Static routes, multiple sub nets ? Yes, the remote location has its own subnet and connects via a static route to the network in the main office. The default route of the remote location is set to the router that provides internet access in the remote location.
  • 0 Votes
    1 Posts
    119 Views
    No one has replied
  • 0 Votes
    6 Posts
    344 Views
    johnpozJ
    @carrzkiss why is that? HA proxy can listen can send stuff based on the uri to different machines. something.domainX.tld goes to your IIS IP otherthing.domainX.tld goes to your linux box. etc..
  • Firewall Aliases IP Addresses with Port Forwarding

    9
    0 Votes
    9 Posts
    549 Views
    Bob.DigB
    @NVDude said in Firewall Aliases IP Addresses with Port Forwarding: By default this creates the rule with source "Any" Be default, any rule has any in it, regardless. You are able to change the source in the NAT-rule too. So everyone is wondering why you didn't do that and fiddle around with the linked rule instead. But I also did this in some cases, for better visibility, especially with different aliases which I didn't wanted to combine, so I created the same firewall-rule but with different sources three times or whatever. But for best efficiency you do it right in the NAT-rule because then the not-matching traffic doesn't get NATed in the first place, I guess.
  • Policy-based routing: directly attached interface can never be overridden

    10
    0 Votes
    10 Posts
    405 Views
    P
    @johnpoz Thank you for the clarifications I finally opted to route everything on pfsense and remove SVIs on switch. It's so much easier than to manage the ACLs on switch If I end up needing more L3 switching throughoutput on some vlans, I can always try a hybrid setup with static routes on pfsense and running the dhcp server on the switch for those vlans
  • NAT - To manage a ONT SFP+ on 192.168.11.1

    20
    0 Votes
    20 Posts
    1k Views
    B
    @AndyRH Hi, I managed to access the 192.168.11.1 Web Gui with the changes you've shared https://forum.netgate.com/topic/197766/how-to-connect-to-xgs-pon-controller/15?_=1751026822174 This access ( NAT OutBound ) to 192.168.11.1 Web Gui succeeded after i did a Power On Reset to the Netgate 4100 after making the NAT Outbound changes. It hence seems that NAT changes did not take effect after I "Save" and "Apply Changes" and only became effective after I did a Power On Reset. Also another point to note was this Web Access to 192.168.11.1. was successful when my WAN is on DHCP and without a Vlan assignment. I may have to open another thread for assistance as I need to access 192.168.11.1 with WAN on DHCP and with a VLAN for the WAN. Thanks to you, at least I have a window into the WAS-110 albeit when the WAN is not configured with a VLAN. On your temperature for the WAS-110 its 50/48/46 Celsius with ambient temperature at 30 degrees Celsius and with a cooling fan in place. Have a a good one.
  • Port forwarding to non-LAN subnet

    2
    0 Votes
    2 Posts
    247 Views
    V
    @thomaspsimon I guess, you're using a policy-based IPSec tunnel. If so this is not going to work, unless you route the whole upstream traffic from the branch over the VPN, which might not be desirable. It would be doable with any other VPN solution, however, which gives you real routing capability.
  • pfSense IPSec + Manual Outbound NAT - No Traffic via VIP

    3
    0 Votes
    3 Posts
    284 Views
    E
    Big thanks @viragomann Your BINAT insight was the missing puzzle piece, tunnel’s up, traffic’s flowing, and packets are happy. Much appreciated!
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.