NAT

• B

  H.323 Video Conference Codec behind PFSense *Guide / Explanation*
  • BitXer0  

  3
  0
  Votes
  3
  Posts
  18631
  Views

  D

  Long story short, to use H.323 behind a pfsense firewall, one needs to enable static-port NAT. Unfortunately neither H.323 nor SIP were designed with NAT in mind, in which case one needs either an ALG (which btw is part of Linux's netfilter since many years, but apparently missing from baseline pf/FreeBSD) or a NAT device that won't rewrite ports (a solution that will work if you only have one such device). Edit: Note that SIP software has been improved in recent years, and most recent implementations can work through NAT without a need for ALG or static ports, but it's still something one has to keep in mind when troubleshooting SIP issues.
• C

  Port Forward Troubleshooting
  • cmb  

  1
  0
  Votes
  1
  Posts
  25428
  Views

  No one has replied

• B

  Using pfBlockerNG Alias as source for NAT rule
  • bradyrf  

  6
  0
  Votes
  6
  Posts
  25
  Views

  B

  Thank you kind sir. I appreciate the advice. B
• J

  Losing connection to remote desktop
  • jonb2  

  3
  0
  Votes
  3
  Posts
  22
  Views

  J

  I downloaded a different VPN client after spending far too long trying to solve this and it seems to be working fine. It is just bad timing that it started happening with the change in firewall, a spurious correlation. Everything was configured correctly and happening on multiple machines and different users.
• A

  Check my port forward rule please
  • AR15USR  

  5
  0
  Votes
  5
  Posts
  41
  Views

  A

  Okay made the change to the 'dest'. Thanks for the help fellas..
• W

  Fort Forwarding SMTP - One wan works the other does not
  • Wurstsemmel  

  4
  0
  Votes
  4
  Posts
  47
  Views

  

  @wurstsemmel said in Fort Forwarding SMTP - One wan works the other does not: Sorry for reposting. If I set the corresponding gateway in the wan interface configuration, everything works as expected. I am confused, as the guides for CARP clearly state NOT to do this. I'm not sure where you read that, but the HA guides don't say not to use gateways on WAN interfaces. Perhaps you misunderstood some other HA point. All WAN-type interfaces should have a gateway selected on their interface configuration.
• 

  nat for 2 email servers with just 1 wan?
  • periko  

  12
  0
  Votes
  12
  Posts
  59
  Views

  

  @periko said in nat for 2 email servers with just 1 wan?: Is possible to NAT traffic for both servers using the same email ports 465/993 on each one? These are ports to deposit mail for sending (smtps) and consulting mails on a mailbox/server imaps (993). These two ports are probably used by fat-mail-clients like Outlook or Thunderbird. Take the more intelligent (smaller ?) user (== domain ?) group of your 2 mail servers, and say to these guys : "Hey, guys, if you see somewhere that mentions port '993', change it for 994' - idem for 465, make that 466." Now you can NAT easily on your side. Most people don't care less what they have to choose, they only setup a mail clients ones, and will redo it when their computer breaks down after X years. They don't know why its "465" or "993" anyway. Note : this won't work if it concerns port 80 or 443 .... people don't know that they use these ports several times a day
• K

  Squidguard using OPT1 link instead gateway group
  • kzHchris  

  6
  0
  Votes
  6
  Posts
  116
  Views

  

  No problem, I go by either. If traffic from Squid is leaving by a different interface either Squid is set to run on that IP directly or clients not using Squid are not using the default gateway for some reason. We would need to see your routing table, gateway setup and LAN side firewall rule to know more. Steve
• 

  Not working port forwarding
  • dam034  

  9
  0
  Votes
  9
  Posts
  41
  Views

  

  There almost certainly is never going to be an FTP ALG added to pfSense. pfSense is a security product. FTP is insecure and outdated and the general consensus is that nobody should be using it in production any more. If a security layer WAS added, as in FTP/S, then an ALG would be useless because it could neither see nor manipulate the inside of the protocol. SFTP works, is secure, and doesn't require any of this nonsense.
• K

  Multi WAN + Mikrotik
  • karlpox  

  1
  0
  Votes
  1
  Posts
  35
  Views

  No one has replied

• S

  Help need for SSH port forward for asterisk server
  • shetu  

  13
  0
  Votes
  13
  Posts
  136
  Views

  

  Yes or 10/8 172.16/12 192.168/16 ...I just wanted to post a bit more "human readable". ;-) -Rico
• S

  Home Assistant Websocket Not connecting
  • Scottix  

  9
  0
  Votes
  9
  Posts
  112
  Views

  S

  Ok I found the issue. Between setting up and trying to get things to work. A reboot of the modem caused the ip address to change. Since pfSense cached the dns query it was still redirecting the https queries locally and not showing any https issues. When the websocket was trying to make a direct connection it was going to the old ip address which obviously would fail. It is interesting the https didn't fail out but the wss connection did, which led to the confusion, anyway thanks for the suggestions. I will think about limiting the connections to the web server, not sure how I will let certain external service still ping it to notify me of things, not everyone lists their ip addresses they use. Anyway peace.
• U

  randomly can't access server port 80 on different subnet
  • utnuc  

  3
  0
  Votes
  3
  Posts
  53
  Views

  U

  ok, thanks. next time it happens I'll try restarting the web service on the server to see if that's where the problem lies. I'll report back.
• M

  Need your help, give me guide or step by step how to do it
  • marksantos  

  5
  0
  Votes
  5
  Posts
  89
  Views

  

  Here is a simple step by step on how to get your network running: Step 1: Hire a professional admin. Step 2: Explain to him what you want in as much detail as possible. Step 3: Keep the admin under contract and pay him on time. Step 4: Enjoy a working network setup.
• P

  OpenVPN Clients are not using outbound Port forwarding
  • Paddy  

  9
  0
  Votes
  9
  Posts
  153
  Views

  

  I have never seen that happen. a copied rule is the same as making a new rule. It is more likely you did not adjust something that needed to be adjusted.
• M

  Subnet NAT issue
  • Math43  

  1
  0
  Votes
  1
  Posts
  60
  Views

  No one has replied

• C

  having issues to SSH to Unraid Behind Pfsense Port Forwarding
  • comet424  

  7
  0
  Votes
  7
  Posts
  78
  Views

  C

  thank your @Derelict your awesome thank you very much .. that worked
• T

  pfSense as OpenVPN client with both SNAT and DNAT
  openvpn dnat snat policy-routing • • tlovie  

  4
  0
  Votes
  4
  Posts
  68
  Views

  V

  I was talking about the rules on pfSense, of course. As mentioned, such traffic must not be handled by floating rules. I don't know if you've set up some. You may also do a workaround with an SNAT rule for that traffic on the Debian system to get the routing work. But maybe that's not the best solution.
• W

  Simple address forwarding
  • WiringHarness  

  21
  0
  Votes
  21
  Posts
  260
  Views

  W

  @johnpoz said in Simple address forwarding: Your going to run into all kinds of problems trying to route stuff when the stuff is on physical and doesn't use pfsense as its gateway. If pfsense is not going to be a gateway to the internet then these networks do not even need to be wan.. 1 could be pfsense lan, and the other could be opt network. But according to the docs, WAN is required so is it possible to run pfsense with only LAN and OPT interfaces? On a separate note, when I cloned the VM, the MAC addresses changed. Can I control the assignment of which mac address is bound to em0 and em1? update on last week, I didn't have any virtual IPs since I wrongly figured the pfsense could see them both and ping them, but then once I added virtual IPs my 1:1 NAT forwarding started working.
• K

  2 public subnets / reach services behind
  • kreiSSage  

  2
  0
  Votes
  2
  Posts
  70
  Views

  

  Yes. Assuming 200.200.200.0/24 is actually routed to 100.100.100.1 by the ISP. Just number the LAN with 200.200.200.1/24. Go to Firewall > NAT, Outbound, switch to Hybrid mode, and make a NO NAT rule on WAN for traffic sourced from 200.200.200.0/24 Make a firewall rule on WAN passing traffic from any to 200.200.200.X TCP port 22/80.
• D

  Tried everything port forwarding not working??
  • Djinn1  

  42
  0
  Votes
  42
  Posts
  614
  Views

  D

  @johnpoz Thank you for all you help.
• M

  Hulu traffic
  • mhertzfeld  

  3
  0
  Votes
  3
  Posts
  2994
  Views

  C

  Thanks for the tip! It appears this still works. Taking a slightly different approach worked for me, too. I have a dual WAN setup at home and use load balancing (round robin). 99% of services work just fine with this. But I was struggling with the "not at your home location" error on Hulu. I got around it by forcing auth.hulu.com and home.hulu.com traffic out my primary internet circuit. All other Hulu traffic seems to load balance just fine. If anything the suggestion above will work but you'll need to add the two new domains.
• B

  Automated scripts for Private Internet Access port forwarding
  • Bagpuss  

  55
  0
  Votes
  55
  Posts
  243221
  Views

  I

  I had to add a 'sleep 10' top the start of the script, otherwise the script would have tried to query PIA before the link was established when triggered by devd.
• R

  Portforwarding problem: https is working, http is not
  • refugeesonline  

  2
  0
  Votes
  2
  Posts
  105
  Views

  R

  Resolved! It turned out to be a problem with the NAT outbound rules: By deleting the bridge (its name was set to "LAN") all outbound rules to the Wifi devices have been automatically changed to WAN (they were set to LAN before). However, after setting up LAN1 and OPT1, these rules have to be set manually to the right interface. It was just a coincidence that the https-device was still working as it does not need an NAT outbound rule. Thread closed ... :-) Regards, Volker
• S

  Port Forward Past Modem/Router > pfSense > Computer
  • senseii  

  6
  0
  Votes
  6
  Posts
  184
  Views

  

  DMZ mode, in everything I have seen, is like a 1:1 NAT rule. It forwards all traffic to whatever IP you nominate, in this case pfSense. So it removes the firewall for that IP but not for other IPs in the routers LAN subnet. Steve
• K

  Tks
  • kzHchris  

  1
  0
  Votes
  1
  Posts
  61
  Views

  No one has replied

• H

  Help with domain network behind pfsense
  • Hugovsky  

  11
  0
  Votes
  11
  Posts
  252
  Views

  H

  Thank you johnpoz. I understand what you're saying.
• D

  Server Not Accessible from Internet (Port Blocked)
  • digger30  

  5
  0
  Votes
  5
  Posts
  91
  Views

  

  Normally you would have 2 vSwitches, one for WAN and one for LAN. Then you create a pfSense VM with two NICs, one on the WAN switch, the other on the LAN switch. You connect the WAN switch to your physical NIC and your VMs all connect to the LAN switch.
• T

  Private WAN IP and Private LAN IP
  • terragon  

  8
  0
  Votes
  8
  Posts
  3810
  Views

  R

  @phil-davis Have the same situation even removing gw on lan doesn't work. Anything config needed on NAT.
• P

  NAT Outbound Separators (pls)
  • postables  

  13
  0
  Votes
  13
  Posts
  273
  Views

  P

  @grimson @jimp true it would appear then that I'm going about this the wrong way. I will re-evaluate my NAT rules and firewall configurations
• F

  port forwarding not working
  • fionnmaccumhail  

  3
  0
  Votes
  3
  Posts
  110
  Views

  F

  fixed
• K

  FTP server backup WP - Can read but not write! (Local work perfect)
  • Khampol  

  4
  0
  Votes
  4
  Posts
  125
  Views

  K

  Ok I set a SFTP server port 22. Do we need passive port for this too?
• O

  Set up a port forward, still not connectable
  • Octopuss  

  5
  0
  Votes
  5
  Posts
  125
  Views

  O

  Just FIY - there was some sort of a firewall running on the AP on the roof, and after contacting our ISP it was deactivated, and now it seems to work like it should.
• N

  NAT with IPSEC
  • nikkopegmail.com  

  3
  0
  Votes
  3
  Posts
  111
  Views

  N

  Thanks Steve ! Will try to to nat in P2. cheers, pete
• H

  1:1 nat and bridge on with 3 interfaces?
  • hypemedia  

  4
  0
  Votes
  4
  Posts
  114
  Views

  

  It would not necessarily show in the ARP table unless pfSense has been talking to it directly. The ISP would need to ARP for it and it back to the gateway but that is transparent through the bridge at layer 2. What exactly is not working? What is working? How are you testing? Steve
• S

  Redirect to wrong IP destination.
  • sbeaudoin  

  7
  0
  Votes
  7
  Posts
  155
  Views

  

  If the wrong server is responding then the wrong server is responding to 10.0.20.7. Do a packet capture on the inside interface for connections to 10.0.20.7 TCP port 443. Test a connection in from the outside. Do you see the SYN going out the local interface? Is it destined for 10.0.20.7? What responds? You might need to look at the MAC addresses here to see what's really going on.
• J

  Enable Protocol 4 and 93 (IPIP Tunnel)
  • jfalcon  

  5
  0
  Votes
  5
  Posts
  3284
  Views

  M

  @luzemario I'm new to ampr and would like to setup my router for it. Could I get some assistance on getting my allocation going? Thanks
• T

  Firewall stopped forward packets on upgrade from 2.4.4-p1 to 2.4.4-p2.
  • thouwlin  

  1
  0
  Votes
  1
  Posts
  90
  Views

  No one has replied

• A

  How to directly connect clients of a VPN server set behind pfSense to get their own IPs on the DHCP?
  • alaaelrifaie  

  1
  0
  Votes
  1
  Posts
  81
  Views

  No one has replied

• A

  Setting up pfSense as a cloud firewall for my Vultr private network
  • alaaelrifaie  

  3
  0
  Votes
  3
  Posts
  110
  Views

  No one has replied