NAT

• B

  H.323 Video Conference Codec behind PFSense *Guide / Explanation*
  • BitXer0  

  3
  0
  Votes
  3
  Posts
  19727
  Views

  D

  Long story short, to use H.323 behind a pfsense firewall, one needs to enable static-port NAT. Unfortunately neither H.323 nor SIP were designed with NAT in mind, in which case one needs either an ALG (which btw is part of Linux's netfilter since many years, but apparently missing from baseline pf/FreeBSD) or a NAT device that won't rewrite ports (a solution that will work if you only have one such device). Edit: Note that SIP software has been improved in recent years, and most recent implementations can work through NAT without a need for ALG or static ports, but it's still something one has to keep in mind when troubleshooting SIP issues.
• C

  Port Forward Troubleshooting
  • cmb  

  1
  1
  Votes
  1
  Posts
  26133
  Views

  No one has replied

• Q

  Nat Pass Works But Rule Does Not
  • qwaven  

  9
  0
  Votes
  9
  Posts
  33
  Views

  Q

  So just because... I went ahead and removed both NAT rules and any rules for them. Created just 1 NAT rule and specified to allow it to create an associated rule. It did all this, I test and I experience the same issue. -In the application it shows a status which flashes on showing it should be good then seconds later goes back to offline status. -Externally testing shows the port is down Tried adjusting the NAT reflection type (always have left it as system default) Tried proxy, and pure. all appear to have the same result. Switch to using pass, the NAT rule removes its associated created rule and my application immediately works. Externally testing passes as well. Second NAT rule... Did the same tests as above, nothing appears to work. As I removed my floating rule I originally created to make this work. I switch the NAT rule to also use pass and it works. Floating rules: Go in and change both NAT rules to not use Pass or Associate to a rule. create a basic floating pass rule to allow from any to one of my servers. The server with port 32401 will not work. The server with port 32400 will work with the floating rule. And for completeness I change the NAT rule for 32401 back to use PASS and remove the floating rule I created for it. It works right away. I'm at a loss here as to what else I can be looking at. Open to trying things... Cheers!
• V

  Can't get LAN traffic to connect through WAN
  • vpnguy  

  6
  0
  Votes
  6
  Posts
  18
  Views

  V

  @viragomann For the OPT1 interface Firewall rule "allow IPv4" to any, the Gateway advanced setting only has two options: "default" and "[commercial isp]" I do not want to use my commercial ISP, but there is no OpenVPN option. In the OpenVPN client settings, under gateway creation, I have selected IPv4 only. Under my System/Routing/Gateways setting, the default gateway is set as my commercial ISP. I have three choices: [commercial ISP], Automatic, None. How can I create an "OpenVPN" gateway?
• P

  Trying to figure out if NTP redirection is working
  • pfguy2018  

  1
  0
  Votes
  1
  Posts
  3
  Views

  No one has replied

• H

  PIA automatic port-forward update for Transmission daemon
  • HolyK  

  5
  0
  Votes
  5
  Posts
  318
  Views

  H

  @dl_sdk Hey, glad you figured it out. Yes the service name vary across distros/packages. In my case it is just a pkg inside BSD Jail. I could change that to get the real service name from service -e output but then it might fail on the service command itself. Anyway thanks for posting the command which works for you so other ppl can adjust the script if necessary.
• R

  Accessing Port Forwards from Local Networks
  • rahim  

  11
  0
  Votes
  11
  Posts
  55
  Views

  

  If its working and your happy, then all is good.. But such a setup is not the "correct" way ;) It makes no sense to send traffic to your wan IP, just to be hairpinned back to hit the IP sitting next to you on the lan.. Its like you want to go the dining room from the kitchen in your house - but hey lets go out the front door and back in to get there ;)
• W

  Accessing a local web server from local network with NAT reflection + port forwarding
  • wyang  

  14
  0
  Votes
  14
  Posts
  29
  Views

  H

  A>is it possible to drive a toyota corolla through the jungle? B>it's better to use a 4x4 to go through the jungle. A>Yes, but is it not also possible using a corolla, then i wouldn't need a 4x4? B>using a corolla in a jungle is an abomination to all things holy about driving in the jungle. 4x4 is the way ..... A> using a 4x4 is not sustainable
• H

  From LAN 200.x/22 to DMZ 100.x/22 Connection Timeout
  • howdoyouturn69  

  7
  0
  Votes
  7
  Posts
  7
  Views

  H

  I follow the instructions, remove default gateway in firewall rules, to default. I can see the firewall log it says allow (green check), however, still does not connect. Any other idea? Because I still can't do event ping between LAN and DMZ. BTW: If I set "default" gateway in System/Routing, no LAN client can browse internet. Maybe something else is missing?
• D

  Transparent Proxy with nat
  • davide.accetturi  

  1
  0
  Votes
  1
  Posts
  5
  Views

  No one has replied

• E

  3 specific phones not registerd to PBX
  • Eyalf83  

  1
  0
  Votes
  1
  Posts
  9
  Views

  No one has replied

• 

  OSPF: pfSense and 2 Instances of VyOS in Separate Networks
  • GraysonPeddie  

  3
  0
  Votes
  3
  Posts
  22
  Views

  

  Note: I'm going to make a new post instead of editing my existing one. I did not see an error message when I submit my changes, so I'm going to make a new post documenting my experience with NAT. Okay, so I'm going to document my experience with NAT in pfSense. Let's change the destination to 10.249.1.0/24. Rule 1: Interface: WAN Source: any Destination: 10.249.1.0/24 Translation Address: 10.249.0.0/16 Pinging 10.249.1.100 works and pinging 10.249.2.100 does not work. So, changing the destination to 10.249.2.0/24 makes pinging 2.100 working, but 1.100 does not. I'm going to reset the destination to 10.249.0.0/24 and modify the translation address to 10.249.0.0/24. I'm going to give it a try: Rule 1: Interface: WAN Source: any Destination: 10.249.0.0/16 Translation Address: 10.249.0.0/24 Setting translation address to 10.249.0.0/24 works fine when pinging .1.100 and .2.100. What happens if I set the translation address to just interface address? Setting the first rule to WAN address won't work because pfSense does not seem to reach back to .0.101 when I try to ping .1.100 and .2.100. So it makes sense to think that pfSense will translate the packets back to the originating host's IP address and not the interface address (172.24.9.2). I don't know how that works, but hey, it works. Maybe somebody could explain why using the local /24 LAN subnet works.
• I

  Trafic Redirect
  • Ilya.V  

  4
  0
  Votes
  4
  Posts
  11
  Views

  V

  That's straight forward. I had made such forwardings several times. Ensure that Pf2 is the default gateway for the server and that a firewall rule on the specified OpenVPN interface is allowing the access and that it matches. Also on Pf1 WAN you need a rule allowing the traffic, of course. @Ilya-V said in Trafic Redirect: added a permissive rule for everything You have to ensure that there is no rule on the OpenVPN tab which matches the traffic. OpenVPN is an interface group including all OpenVPN instances you're running and it doesn't work on interface groups! That's why I wrote "move the rule from OpenVPN...".
• M

  Maximum amount of Outbound Static NAT?
  • mountainlion  

  5
  0
  Votes
  5
  Posts
  15
  Views

  M

  Some may slip away into obscurity, but I owe a reply.... lol Just reading this a couple of minutes ago. When I read your last suggestion about anyone else using IP on segment, I sort of cringed. I had looked at the Diag/arp and saw FW mac, but hadnt looked at EdgeRouter due to ssh issue last night. When I logged into router I saw that the network has been sliced to a /27, not /26 as I had thought. Added a usable IP from IPSUB and off and going. Thank you
• P

  Speed? Is there anything in PFSense that would rate-limit SSH NAT?
  • profse  

  8
  0
  Votes
  8
  Posts
  23
  Views

  P

  I set up the DMZplus mode to my laptop. If I SFTP to the laptop, the speeds are atrocious, just like to the netgate device. It must be the modem.
• T

  Configuring NAT overload in pfSense
  • tsame  

  5
  0
  Votes
  5
  Posts
  34
  Views

  N

  Nat overload is a classic cisco term Also called pat (port address translation) or plain nat as we know it in home appliances.
• R

  No internet on WAN and/or LAN port (Virtual pfSense on VMWare Workstation 15.5)
  • raviktiwari  

  3
  0
  Votes
  3
  Posts
  25
  Views

  V

  Is the WAN gateway shown as online on the dashboard? Are you able to ping 8.8.8.8 by the IP address from pfSense to rule out a DNS issue? If the issue is on the VMWare setup the Virtualization section of this forum might be a better place to ask.
• P

  All external attempts to SSH or SFTP yield "connection refused"
  • profse  

  6
  0
  Votes
  6
  Posts
  20
  Views

  P

  First, thanks for the reads and comments. It seems that, upon seeing my WAN Address as 172 and not my IP that something was fishy with the modem. Either ATT or a power cycle reset the modem to block traffic and not pass it all to PFSense. I changed that setting, and we are back in action. I'm sorry to have wasted your time on this, as I assumed my settings on the modem were unchanged.
• L

  Check 1 to 1 Nat public ip, returned internal ip address
  • luzenkock  

  1
  0
  Votes
  1
  Posts
  6
  Views

  No one has replied

• H

  Multicast
  • hsv  

  26
  0
  Votes
  26
  Posts
  86
  Views

  

  @hsv said in Multicast: Pfsense is not the way to go, and start to setup HAProxy. it took me a long time to understand what do you mean by original post, I apologize just the way, it works...HA proxy +++edit: @hsv "but I only have 4 WAN, but I guess the problem will be the same." this does not matter
• A

  VPS with PFS, WAN, Port 80 => Peer to Peer OpenVPN => Home PFS => VLANed VM
  • avr  

  3
  0
  Votes
  3
  Posts
  11
  Views

  A

  Hi @netblues, thanks for your response. I agree it would be much easier if I connected to the VPS PFS from the VLANed VM. But the thing is I want to know how to make this using PFS. So let's start with some questions, as I might have gaps of knowledge: Peer-to-Peer (Site-to-Site) OVPN connections: are they bidirectional? If I wanted to NAT Port Forward to this Interface which 'Redirect target IP' should I use? thanks
• A

  FTP not working
  • anakaoka  

  6
  0
  Votes
  6
  Posts
  22
  Views

  

  @Napsterbater said in FTP not working: @anakaoka I have LONG LONG abandoned IIS FTP. I have used Filezilla FTP Server for quite awhile Though it has no capability to use AD/LDAP for user auth. But it does support Implicit and Explicit TLS for FTP, Passive and Active FTP and IPv6. For Passive FTP, just configure a range of Ports and forward those the to server, and configure the External IP in the Server settings. Second this ^ Filezilla was my solution for a while also. It worked great and did exactly this with a range of passive FTP ports. Eventually ditched that Windows system and created a FreeNAS server with secure FTP access similar to the Filezilla. FreeNAS is pretty awesome stuff.
• E

  NAT subnet from BGP route
  • Elegant  

  3
  0
  Votes
  3
  Posts
  9
  Views

  E

  I ended up re-designing how the neighbors interacted and eliminated the need for another set of routes from a second AS. I think one of the IP pools was in conflict, that's no longer the case :)
• C

  NOT DOES NOT WORKING PARA PORTAL HTTPS
  • clsilva  

  1
  0
  Votes
  1
  Posts
  2
  Views

  No one has replied

• R

  NAT / Port forward to IPsec tunnel
  • Rickster  

  1
  0
  Votes
  1
  Posts
  12
  Views

  No one has replied

• P

  Are the Autocreated ISAKMP rules needed?
  • powerextreme  

  10
  0
  Votes
  10
  Posts
  50
  Views

  

  @powerextreme said in Are the Autocreated ISAKMP rules needed?: Also, why is the loopback address using ISAKMP? It normally isn't, but it's included in the networks for automatic outbound NAT rules, and each entry in that list gets the udp/500 static port rule.
• T

  Port forwarding from Virtual IP
  • taustinoc  

  3
  0
  Votes
  3
  Posts
  12
  Views

  T

  That's what I needed. Thanks.
• O

  Accessing Radio Devices Webgui behind WAN1 of 2 Wans from LAN2 of 2 LANS.
  nat • • oilahkestrada  

  1
  0
  Votes
  1
  Posts
  8
  Views

  No one has replied

• A

  Multiple virtual IPs, one WAN -- outbound round robin use of IPs possible?
  • Airwave  

  7
  0
  Votes
  7
  Posts
  24
  Views

  A

  @netblues said in Multiple virtual IPs, one WAN -- outbound round robin use of IPs possible?: @Airwave and consider random with stickiness since changing ip's between https requests tend to break things badly. Okay, great thank you. I'll test these options :-)
• N

  Hairpin nat for a test environment
  • nikmiddleton  

  1
  0
  Votes
  1
  Posts
  11
  Views

  No one has replied

• 

  (SOLVED) NAT rule for WAN port from Firewall A w/ openvpn server to device behind Firewall B w/ openvpn client
  • SipriusPT  

  3
  0
  Votes
  3
  Posts
  36
  Views

  

  So, after a some CSI I notice that inbound packages where reaching the target machine, the problem was that the Firewall B didnt knew where to sent back the response, so I added a new rule in NAT Outbound for this particular device, and worked like a charm: NOTE: Firewall B doesnt use Firewall A gateway, its a "hybrid" VPN.
• A

  Upnp Port Forwarding question
  • angelinajulie363636  

  1
  0
  Votes
  1
  Posts
  22
  Views

  No one has replied

• B

  Simple internal NAT - Can't port forward on internal LAN
  • bgillette  

  9
  0
  Votes
  9
  Posts
  33
  Views

  

  @bgillette said in Simple internal NAT - Can't port forward on internal LAN: well i had my NAS admin exposed so i could access it remotely Would never in a million years expose nas admin to the public internet.. If you can not lock down forward to a known source IP, say your work, or where you remotely admin from.. Then VPN into to do your remote administration.
• G

  NAT Reflectiion Two WAN's
  • Galbiere  

  2
  0
  Votes
  2
  Posts
  25
  Views

  H

  Perhaps use proper DNS instead?
• D

  NAT Issues when playing games on two computers
  • dmd1234498  

  36
  0
  Votes
  36
  Posts
  386
  Views

  

  @Raffi_ said in NAT Issues when playing games on two computers: I followed the steps exactly and it was perfect except for one thing which messed me up. After the last step, I had to go to Diagnostics > States. I filtered for my Xbox static IP and then I had to Kill the states. Without doing that it kept the old states and kept showing NAT type strict. you're absolutely right... since, I always restart (NGFW) when such a configuration change (greater extent) is made, I forgot to describe it
• E

  NAT rule enabled on another interface than specified
  • echo4201  

  10
  0
  Votes
  10
  Posts
  32
  Views

  

  Hmmm, what was system default set too? Mine is disabled - but it defaults to what pure nat or nat+proxy? I really don't see how that would of come into play on a different interface.. Can try and duplicate it - what setting did you have in system, and can set mine to that and then look at the exact rules being created..
• H

  Access Back-haul Radios
  • hotshottech  

  37
  0
  Votes
  37
  Posts
  2284
  Views

  O

  @hotshottech said in Access Back-haul Radios: I got it going…..here are the rules that got me there. Thanks guys for all the help....see attached Hi! I also have a same problem... ISP Router Modem (DHCP) 192.168.2.1-RADIO(192.168.30.X)-RADIO(192.168.30.Y)-PFSENSE(192.168.2.1) sadly, can't see the attached files...
• 

  Forward fragmented UDP (SIP) traffic
  • mike1818  

  2
  0
  Votes
  2
  Posts
  19
  Views

  

  @mike1818 (Replying to my own post) There is a problem with the PABX. Retried it and saw outgoing traffic from the pfSense to the PABX which is acting like there is no traffic. Sorry for bothering.
• S

  Private WAN IP
  • se1eznev  

  5
  0
  Votes
  5
  Posts
  18
  Views

  S

  Thanks, I'll write tomorrow as I check it out.
• W

  SSH Port Forwarding doesn't work :(
  • Wojtek D  

  3
  0
  Votes
  3
  Posts
  39
  Views

  W

  Thanks, I check everything again and you are right, this is debian fault, not pfsense