NAT

• B

  H.323 Video Conference Codec behind PFSense *Guide / Explanation*
  • BitXer0  

  3
  0
  Votes
  3
  Posts
  18936
  Views

  D

  Long story short, to use H.323 behind a pfsense firewall, one needs to enable static-port NAT. Unfortunately neither H.323 nor SIP were designed with NAT in mind, in which case one needs either an ALG (which btw is part of Linux's netfilter since many years, but apparently missing from baseline pf/FreeBSD) or a NAT device that won't rewrite ports (a solution that will work if you only have one such device). Edit: Note that SIP software has been improved in recent years, and most recent implementations can work through NAT without a need for ALG or static ports, but it's still something one has to keep in mind when troubleshooting SIP issues.
• C

  Port Forward Troubleshooting
  • cmb  

  1
  0
  Votes
  1
  Posts
  25613
  Views

  No one has replied

• W

  Port Forwarding not working correctly ( Through VPN )
  • webconnector  

  2
  0
  Votes
  2
  Posts
  14
  Views

  W

  The issue is resolved by removing this rule. I don’t understand where it came from
• C

  Port Forward OpenVPN Site-to-Site
  • cneu88  

  5
  0
  Votes
  5
  Posts
  52
  Views

  C

  Thank you for your quick reply. I follow this article to setup the tunnel and configured the firewalls according to it. The servers are reachable when i disconnect the VPN connection on router2. The host names are resolving to the external IP of router1. I have set up the firewalls according to the above article. The servers are reachable when VPN is disconnected. Yes, as far as I can tell. Yes, as far as I can tell. UPDATE: I am not able to ping the remote external IP of router1 (ICMP timeout). Maybe that's a hint to something....
• C

  Change outgoing IP OpenVPN
  • cyberbot  

  3
  0
  Votes
  3
  Posts
  23
  Views

  C

  Thank you for your answer, yes i am using openvpn as my tittle said. i am running vpnclient on pfsense on both sides.
• _

  Port forwarding and bond/link aggregate
  • _mwa_  

  4
  0
  Votes
  4
  Posts
  34
  Views

  _

  @Derelict You are perfectly right: one day later the problem is gone. I've changed a lot this day (and I am not an expert, so I have tested some ideas to find out they did not work), thus I assume I have caused some trouble on the network with needed some time to settle down.
• R

  Double NAT TCP/UDP not returning
  • redvapor  

  9
  0
  Votes
  9
  Posts
  16
  Views

  

  Yeah putting a router on the same backside subnet like that will only cause you grief and pain.
• W

  NAT 1:1 Polycom VSX 7000
  • wesleylc1  

  48
  0
  Votes
  48
  Posts
  203
  Views

  W

  Hi Steve, how are you? Seeing no problem during Polycom calls, I noticed that by selecting the "NAT is H.323 compliant:" checkbox does not connect to final destination, I will clear the H323 checkbox and select the H460 "Enable" checkbox. H. 460 "-Firewall" as shown in the image below. Best regards, Wesley Santos
• D

  NAT to Virtual IP
  • digitalcomposer  

  6
  0
  Votes
  6
  Posts
  14
  Views

  D

  The provider will not make sito to site with our local net because of overlap with another clients.
• R

  Ports, rules, NAT
  • Rod-It  

  46
  0
  Votes
  46
  Posts
  123
  Views

  

  yes of course at home i'm using it only for toy/learning experience/test etc etc sure not something to do for work where we have professional ip with rdns and stuff configured as it should
• H

  Can't connect to FTP server behind pfsense
  • hhajj  

  18
  0
  Votes
  18
  Posts
  1540
  Views

  

  Your 3 posts have been your having issues with ftp - but you have yet to get 1 detail that could actually let us help you. Your ftp server is where? Where is your client? Are you active or passive?
• W

  VOIP calls don't end
  voip • • WillemC  

  12
  0
  Votes
  12
  Posts
  98
  Views

  

  192.9.x.x is not a private IP address and should not be used as though. That is probably why its not working. This is a routable (reported unreachable right now) address and their servers will treat it as such. You break stuff when you don't follow the rules. https://www.speedguide.net/ip/192.9.200.17 Use addresses from the range below. 10.0.0.0/8 172.16.0.0/16 192.168.0.0/24
• J

  Port forwarding not working, possible reply-to issue?
  • JoelLinn  

  3
  0
  Votes
  3
  Posts
  24
  Views

  J

  The traffic wasn't leaving on any interface. It turned out there was no default route in the route table. I changed the default gateway from the failover group to a specific one and a default route was created. Changed it back to the failover group and the default route stayed. I found this https://redmine.pfsense.org/issues/9004 because I'm still on 2.4.4_2 (didn't see the update notification because the firewall couldn't reach the servers to check....) What an annoying bug.
• T

  Logging/Viewing original DNS query prior to DNS redirection NAT rule?
  • TritonB7  

  2
  0
  Votes
  2
  Posts
  23
  Views

  

  You will probably need a mirror port on a switch to a traffic analyzer for data like that.
• G

  Access port 80 on WAN GW
  • gordon  

  3
  0
  Votes
  3
  Posts
  15
  Views

  G

  @ptt said in Access port 80 on WAN GW: Just.... http://10.0.0.1 hehe what have I done wrong ? enter wrong IP adress ? I have played with rules etc... hehe THank you :)
• S

  GRE tunnel and Outbound NAT return path problems
  • sinaowolabi  

  1
  0
  Votes
  1
  Posts
  37
  Views

  No one has replied

• K

  Port forwading using NAT dropping packets issue
  • kyriakoy  

  1
  0
  Votes
  1
  Posts
  16
  Views

  No one has replied

• C

  Outbound nat port 25 to external IP
  • camay123  

  5
  0
  Votes
  5
  Posts
  39
  Views

  

  @camay123 said in Outbound nat port 25 to external IP: catch all outbound port 25 smtp traffic I just block all outgoing "port 25" connections. Because I control all my mail clients on my LAN, and they use '465' for outgoing mails. I also run a Captive Portal : same rule.
• U

  Outbound NAT issues with /29 range
  • Udbytossen  

  2
  0
  Votes
  2
  Posts
  18
  Views

  U

  Strange my settings where actually OK - Just needed toi change it to an ALIAS instead of IP address Now with 5 working public IP's
• R

  Selective NAT/Outbound to ISP or VPN Provider
  • rsaanon  

  3
  0
  Votes
  3
  Posts
  32
  Views

  

  @rsaanon said in Selective NAT/Outbound to ISP or VPN Provider: For one LAN subnet, outbound connectivity should go through the VPN Provider Interface (VPN) Why would you not just policy route that? Don't pull routes, leave your rules on automatic, create a hybrid rule for the outbound nat for your vpn interface. And yeah as stated there just is no point to hide rfc1918 address space..
• D

  NAT doesn't work for server inside VLAN after NIC change
  • DJS4000  

  9
  0
  Votes
  9
  Posts
  54
  Views

  

  Yeah this was never pfsense, if you see the traffic sent on the pfsense lan side via a sniff. Pfsense did exactly what you told it too do.. See packet on wan, forward it to xyz on port abc.. If there is no answer that has nothing to do with pfsense. To be honest in the like 12 years I have been here, I don't actually recall ever a port forwarding question that was ever an issue with pfsense..
• P

  NAT VLAN through VPN Troubles
  nat vpn vlan headers • • picnicsecurity  

  5
  0
  Votes
  5
  Posts
  30
  Views

  P

  @Pippin Thank you for the reply. I went into VPN -> OpenVPN -> Clients and edited my client's configuration. Under Advanced Configuration I put into the custom options "ns-cert-type server; persist-tun; persist-key; mssfix 1400" and then saved. I then reloaded the VPN by going to Status -> OpenVPN. I did the usual ping/nmap verification checks to confirm connectivity. However this does not seem to have done anything. Below is a picture of the wireshark output (with the TCP stream from the browser being currently selected) and below that is the capture file. mssfix1400_full_cap.pcapng
• 

  Explain "Disable expansion of this entry into IPs on NAT lists"
  • pitchfork  

  4
  0
  Votes
  4
  Posts
  26
  Views

  

  @pitchfork said in Explain "Disable expansion of this entry into IPs on NAT lists": @KOM thanks for the explanation. I think of a single use: if you add a very large subnet it could potentially crash the pfsense webserver when it ties to expand the list. That's exactly it. You can still pick the subnet itself from the drop-down, but if you add, say, a /16 you don't really want thousands and thousands of entries in the drop-down list.
• D

  Limit number of ports used on WAN due to CGNAT
  • digitalgeek  

  5
  0
  Votes
  5
  Posts
  23
  Views

  D

  Yeah, and I imagine my IPv6 connections are in that state table too so probably a little less than half of that table is actually external IPv4 states. I figured I would mention the VPN thing to see if that made sense based on what my ISP was telling me (sounds like it does). I originally thought my issues were routing related because the ISP equipment kept responding with "Destination Unreachable" for seemingly random sites at random times.
• 

  NAT Inbound Does Not Create Outbound Rule
  • pitchfork  

  11
  0
  Votes
  11
  Posts
  58
  Views

  

  @pitchfork said in NAT Inbound Does Not Create Outbound Rule: does adding virtual IPs require a pfsense or proxmox restart? No.
• L

  Port forwarding to the VPN IPsec tunnel
  • lukaszc  

  5
  0
  Votes
  5
  Posts
  230
  Views

  P

  @lukaszc Hi Lukaszc! How can you solve the problem over an OpenVPN?
• M

  NAT on Local side
  • meluvalli  

  14
  0
  Votes
  14
  Posts
  39
  Views

  M

  Ok. I will play more with it! I really appreciate your help! I'm confused because if I manually set my proxy on my machine to 10.40.162.94, it works. So I know the proxy is functional.
• E

  NAT Before IPSEC Issue
  • Erik10206  

  1
  0
  Votes
  1
  Posts
  24
  Views

  No one has replied

• R

  1:1 NAT deleted but still in system kernel..
  • rchatman  

  5
  0
  Votes
  5
  Posts
  26
  Views

  R

  Yessir
• C

  NAT rule troubleshoot
  • count1to3  

  2
  0
  Votes
  2
  Posts
  27
  Views

  

  Create a port forward for ssh to that LAN server via Firewall - NAT - Port Forward. Since you're in private IP space, you will also need to edit your WAN config to stop it from blocking inbound access from rfc1918 addresses via Interfaces - WAN - Uncheck Block private networks and loopback addresses. https://docs.netgate.com/pfsense/en/latest/nat/forwarding-ports-with-pfsense.html https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting
• C

  NAT a single host over IPSEC
  • CW_  

  1
  0
  Votes
  1
  Posts
  15
  Views

  No one has replied

• L

  How to use NAT over OpenVPN
  • LittleTin  

  1
  0
  Votes
  1
  Posts
  36
  Views

  No one has replied

• L

  PFSense used only as router allow only https
  • Lucas Rey  

  9
  0
  Votes
  9
  Posts
  71
  Views

  L

  First of all, thank you for your time. I tried on VMWare Forum without success, maybe people are in holidays :) If I can, I would like to recap what you wrote that for sure make it sense. What I understand is that now PFSense WAN interface is under VKernel (default Port Group: VM Network) and under its firewall. So I created a new Port Group named WAN and conenct it to Physical adapters, then move the WAN PFSense interface on it: Topology shown now that WAN Port Switch is connected to Physical adapter (the only one I have) On vSwitches side I left untouched i.e. vSwitch0 (default) and vSwitch LAN. But still doesn't work, maybe I still miss some config, or maybe I have to add/modify the VMKernel NICs section... I'm lost....
• J

  Redirect port from NAT to host of OpenVPN
  • jantonio.garcia  

  6
  0
  Votes
  6
  Posts
  54
  Views

  V

  The routes? So you've created a Site-to-Site OpenVPN server? Also added firewall rules to allow that access? You'll need a rule on pfSense1 WAN interface as well as on the VPN interface on pfSense.
• X

  1 to 1 configuration issue
  • xjobex  

  1
  0
  Votes
  1
  Posts
  24
  Views

  No one has replied

• G

  IPsec + NAT Port Forward - Reply packet seems to get lost
  • grumpy-bit  

  1
  0
  Votes
  1
  Posts
  14
  Views

  No one has replied

• N

  UPNP Strange issue
  • never-enuff  

  2
  0
  Votes
  2
  Posts
  62
  Views

  N

  here are some follow up log entries. Jul 17 15:54:10 miniupnpd 85109 SoapMethod: Unknown: GetPortMappingNumberOfEntries urn:schemas-upnp-org:service:WANIPConnection:1 Jul 17 13:26:33 miniupnpd 85109 http://192.168.254.1:2189/rootDesc.xml not found, responding ERROR 404 Jul 17 13:26:33 miniupnpd 85109 http://192.168.254.1:2189/rootDesc.xml not found, responding ERROR 404 Jul 17 13:26:33 miniupnpd 85109 http://192.168.254.1:2189/rootDesc.xml not found, responding ERROR 404 Jul 16 16:49:46 miniupnpd 85109 Listening for NAT-PMP/PCP traffic on port 5351 Jul 16 16:49:46 miniupnpd 85109 no HTTP IPv6 address, disabling IPv6 Jul 16 16:49:46 miniupnpd 85109 HTTP listening on port 2189
• 

  Port open yet firewall still blocking traffic
  • X2LR  

  8
  0
  Votes
  8
  Posts
  64
  Views

  

  @X2LR said in Port open yet firewall still blocking traffic: Yes I reset states after changes Well the client doesn't know that... So he had connection open, and wanted to continue to talk - so yeah your going too see those sorts of blocks until a new session is created. Why are you resetting the states? You would only need to do that on a specific sort of rule change for any active states related to that specific rule.. Say you wanted to block 192.168.1.100 from talking to X.. So you created a block rule, you would have to clear the states for 192.168.1.100 talking to X to make sure that rule takes effect. You don't need to clear all of them ;) So that right there explains what your seeing! You can adjust the pfsense settings so that wan going offline because monitor doesn't get an answer.. One sec and post screen of where you do that. edit: Uncheck this system / advanced / misc But yeah your going to want to setup your p2p client not to use up your whole pipe ;) Have not had to deal with any of that in many years... I don't do any p2p to my home connection.. I run a seedbox elsewhere.. But you can setup limits in the client.. And could also limit with pfsense via limiters or shaping.
• T

  SG-1100 changing ports on NAT
  • tino19625  

  4
  0
  Votes
  4
  Posts
  54
  Views

  T

  @Grimson - I implemented these settings over the weekend [24/7 operation] and this clearly corrected the audio problem with the SIP trunks! THANK YOU
• C

  OpenVPN NAT to LAN (internal ip)
  • chrisjmuk  

  8
  0
  Votes
  8
  Posts
  67
  Views

  

  Have no freaking idea what he is doing - seems like he wants to source nat his vpn users? Just at a loss to why want to do that - just love not knowing what vpn client is connecting to your server ;) Firewall rule on the dest device? It has no gateway - or different gateway would be the only reasons I could think of wanting to source nat. If it was using a different default gateway, you could just host route on the device.