• Same NaT translation

    8
    0 Votes
    8 Posts
    1k Views
    stephenw10S

    Yes, a diagram here would help a lot. It's not obvious to me what you're trying to achieve.

    Steve

  • Unxpected firewall rule added when doing a NAT portforward

    4
    0 Votes
    4 Posts
    1k Views
    I

    Finally got the NAT rules and portforwarding to work. Turns out that putting the internal private ip address in the destination address for the WAN interface was the correct way of doing things, while I'm still not exactly sure how/why this works. Long story short, 1+ hour with Comcast and my own modem, it turns out that whoever "provisioned" my modem for internet access did not setup anything but the default ports to be opened ie.53,80,443. Once i got to one of the higher ups, I got a new external IP address, and now all my portforwarding works. Problem solved.

  • How to unable NAT for outsider IP

    7
    0 Votes
    7 Posts
    1k Views
    D

    Considering the configuration is non-trivial, perhaps it'd be better to post in your native language on the internation forums: https://forum.pfsense.org/index.php#c3

    Or, if it's a company network, perhaps get paid support from ESF? https://www.pfsense.org/get-support/

  • Remote VoIP device - Avaya IP Office v9

    1
    0 Votes
    1 Posts
    602 Views
    No one has replied
  • Mailserver not connectabel from Inet

    4
    0 Votes
    4 Posts
    661 Views
    M

    So if you ping the FQDN of the mail server from an internal client, do you get a response back? And have you checked to see if the mail server is running any kind of firewall locally, or has some traffic filtering of it's own in place?

  • Manual Outbound NAT vs. Port Randomization

    2
    0 Votes
    2 Posts
    1k Views
    jimpJ

    If you over-use static port, pf won't allow one to "steal" the other's connection, but will deny the new connection (can't create a conflicting state).

    It would only be denied iff it tries to re-use the same static source port going to the same destination:

    Connection #1:
    a.a.a.a:xxxx NAT to b.b.b.b:xxxx destination c.c.c.c:yyyy

    Connection #2 – Denied:
    a.a.a.q:xxxx NAT to b.b.b.b:xxxx destination c.c.c.c:yyyy

    Connection #3 -- OK:
    a.a.a.q:xxxx NAT to b.b.b.b:xxxx destination d.d.d.d:zzzz

    Limiting use of static port to things that require static port (e.g. a PBX) is the best way to avoid problems. Generally speaking, the only time someone would really hit scenario #3 above is if you have two local PBX units attempting to connect to the same remote PBX. In that case you'd need to NAT one of them out a different IP address (1:1 NAT or outbound NAT to a different IP address)

  • How to allow only one source IP in NAT configuration

    5
    0 Votes
    5 Posts
    920 Views
    D

    Dear Derelict,

    Thanks for your advice, I will try it.

  • LAN and OPT1 routing on the same VLAN

    6
    0 Votes
    6 Posts
    2k Views
    DerelictD

    You still need two VLANs.

  • Routing LAN traffic through OpenVPN

    11
    0 Votes
    11 Posts
    3k Views
    ?

    (which I believe would mean that they are send to my VPN server and back) but should be routed
    directly to the destination address in the LAN.
    Would not be running, because the VPN must be having on both ends a different LAN address!

    192.168.1.0/24 –--VPN ----192.168.1.0/24 - will not be running 192.168.1.0/24 ----VPN ----172.xxx.xxx.xxx/24 - will be running

    On the other hand packages that have a destination address outside of 192.168.1.x/24 should be
    routed through the gateway and consequently through the VPN.
    If the destination is on the other VPN end yes, if not no.

    My whole reasoning behind this is that I really need GBit-Lan locally
    Then we should be are talking about other things and perhaps other hardware also.
    If the pfSense is doing all, what is very popular for many users, it slows down even a little bit
    more how much more the pfsense have to do, for sure this is also by other vendors and systems
    Let us see a MikroTik Router it deliveres full speed at first time and after SPI, NAT and 20 firewall
    rules, VLANs and QoS it is delivering something around 25% of its full power, for sure not at all
    models but at the most ones. And fore sure it would be also running with all other systems on
    mother earth! So if you install some Layer3 Switch in your network and stack them instead of
    only uplink them you would be at these days doing the best as you are able to do.

    The whole and entire LAN traffic will be routed only be the Layer3 Switches and the pfSense
    is now free of this work. This is often very speeding up many network constructions.
    And if you bind your servers over 10 GBit/s to the Switches you will be getting out
    of creating a so called bottleneck. Or plain LAG (LACP) them perhaps would also bringing
    more throughput near by.

    (VPN is only 100Mbit).
    There fore you will be able to do also some things to speed up the throughput a lot.

    The CPU has to do the most, so if you spend pfSense a really powerful CPU you
    get the most of, and then perhaps also some more ECC RAM it would be the best
    point to start speeding up the WAN throughput. Using Intel server network adapters
    would bring you also more stability and gaining once more again the throughput a bit.

    Inserting then perhaps a compression card on both ends of the VPN (not only at one side)
    would be increasing the entire throughput once more again. Comtech AHA362PCIe is able
    to buy over eBay for something around likes ~$30 - $60.

    AES-NI at the CPU would be the best option today and a 4 Core Intel Xeon E3-12xxv3 at a
    minimum of 3,0GHz would do the job.

    For sure there are also other options out to insert but I am in Germany and the most
    companies of those equipment are in the USA. So if you are a citizen of the USA you
    could try starting around your search for a Exar DX1700 crypto accelerator that will
    be speeding VPNs up mostly really wicked. If this card is supported.

  • NAT rule set up

    5
    0 Votes
    5 Posts
    1k Views
    M

    @hunderri:

    My PBX is not local. can i use the same configuration?

    What do you mean by this? Are you saying your PBX is sited somewhere outisde your firewall/LAN?
    @hunderri:

    i configured the rules on Firewall: NAT: Port Forward but i dot see the icon pass or linked rule. what might be the problem?

    No idea. Why don't you post a screenshot of your firewall and NAT rules? It might help.

    For that matter, why not post a diagram of your network setup, including your firewall, your LAN and the PBX, specifically showing where the PBX is sited? Just saying "My firewall rules don't work" doesn't really help anyone to help you.

  • Novice question about NAT and multiple LAN networks

    4
    0 Votes
    4 Posts
    1k Views
    johnpozJ

    Why does it matter for your nat rules?  Why did you have to do anything on the nat rules?  Once you create a new interface the nat rules the new source IPs of your other segment would of auto been added to the rules for wan interface.

    I have multiple lan side nics with some being physical and other being vlans on the physical interfaces - as you see I have multiple 192.168.x segments - and they are all included in the nat rule to my wan interface

    natrules.png
    natrules.png_thumb

  • Port forwarding for ARK Server

    6
    0 Votes
    6 Posts
    6k Views
    johnpozJ

    Look in your states table..  For all the combinations of source and destination states under diag.  But the question is not what pfsense is using but more what a nat device in front of pfsense would be using if your in its dmz vs setting specific forwards to pfsense wan IP.  Double nat is not good..  But you say your not behind a double nat that pfsense has public ip on its wan.

    If your pfsense has a public IP, you sure its public??  192.168.x.x, 10.x.x.x or 172.16-31 are private IPs..

    So did you do step one.. Did you sniff on pfsense and validate you see the traffic your wanting to forward.. There is no reason to look further until you have validated you see the traffic on pfsense wan - because if your not seeing it there is nothing you can do it pfsense to make it show up ;)

    simple packet capture on diag.. Go to can you see me .org and do a simple test to your port

    example see attached.  Use that as test of your forward, but you need to sniff your traffic when the real traffic is suppose to be there.. If your using dyndns you sure they are using your correct public IP, etc.

    sniffforport.png
    sniffforport.png_thumb

  • How to set lan ip assignation ip alias IP addesss?

    3
    0 Votes
    3 Posts
    815 Views
    KOMK

    Thanks for coming back and posting what you did to get past your problem.

  • View inbound nat log?

    2
    0 Votes
    2 Posts
    609 Views
    KOMK

    There isn't a specific NAT log, just the firewall log.

    What problem are you having?

  • Virtual IP ARP entry spoofing - is it possible?

    4
    0 Votes
    4 Posts
    980 Views
    C

    It's automatic, the MAC of the CARP IP is determined by its VHID.

  • External IP becomes unreachable sporadically.

    1
    0 Votes
    1 Posts
    714 Views
    No one has replied
  • Standard nat plug ins

    2
    0 Votes
    2 Posts
    614 Views
    KOMK

    Unless your Xboxes have some sort of service that you want access to externally, port-forwarding doesn't come into play here.  Have you looked through the Gaming forum?  There seems to be a few articles that may apply to you, like this one.

  • MOVED: Liberação de TS

    Locked
    1
    0 Votes
    1 Posts
    450 Views
    No one has replied
  • Virtual IP in 2.2.3 doesn't seem to be working after upgrade

    3
    0 Votes
    3 Posts
    681 Views
    C

    Sounds like you don't have reflection enabled for 1:1?

  • PPOE DSL connection with 8 fix IPs (no routed subnet)

    4
    0 Votes
    4 Posts
    867 Views
    T

    Problem is fixed: My ISP had an issue on the routing on his site. This is the working setup

    DSL line –> DSLmodem/router configured as bridge --> <pfsense>WAN interface configured as PPOE getting the 28.153/32--> VIP 28.154/29...128.155/29 and so on created on the localhost interface. NAT to forward the /29 IPs to the systems in the DMZ.
       </pfsense>

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.