You should read this post reading H.323 behind PFSense.

https://forum.pfsense.org/index.php?topic=54800.0

@Derelict:

If I had to guess, it is not OpenVPN that's the problem but the introduction of policy routing.  See if this doesn't have the information you need to fix it:

https://doc.pfsense.org/index.php/Bypassing_Policy_Routing

This was exactly it, and after getting it setup, makes total sense. Thanks for information. Much easier than I thought it would be.

Your DNS for your LAN connection is either non-existent or misconfigured. The easiest thing to do would be to set your pfSense machine as a DNS forwarder and create a static entry for your web server (eg www.domain.com) so that your LAN users will be able to access your web server from it's internal address. I'm assuming your web server is sitting on your LAN or a DMZ. Consult this link for more info: https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F

The error had to do with a rule on my other firewall. 1:1 with Proxy ARP did the trick.

Thank you!

That's exactly what i was looking for.

It works fine now

Ive now set internalhostname to real internal hostname. Its ok now.

But can anyone explain it to me, why are things so drastically slow when you use NAT reflection?
It shouldn`t be in my opinion…
I still think that I maybe have some config error somwhere, in my home enviroment with same exchange settings things work just fine...

Pretty sure xbox will use UPnP to open ports in a firewall.

What exactly are you trying to stream from?  How do you get xbox to connect to this stream?  Why don't you sniff on the lan of pfsense and then try and connect to your stream..  What do you see?  Does it try and use multicast to discover the streamer?  Or do you direct it to an ip of the streamer?

Your scenario is exactly what UPnP can help get around - be it with no security involved.. UPnP from a security aspect is an abomination..  But most clients should ask the firewall hey I want port X sent to me.. Firewall can say sorry that is in use by another client - pick something else, etc.

Why don't you just grab multiple wan IPs and then setup 1:1 nat for these IPs to your devices on your private lan segments as another option.  Setting up that many ports in a Forward on a shared wan IP that is natted is going to break nat at some point..  Since your severely limiting the ports that can be used for the napt function.

Whether or not VIPs are required depends on your ISP's setup. If they're routing them to you, no need for VIPs. Where you must answer ARP on them, you must have a VIP type that answers ARP. Where you have multiple aliases on the same device, they all show up as the same MAC. Outside of circumstances like CARP, VRRP, and HSRP that use virtual MACs, there is only one MAC on a given interface and all the IPs on that interface use it.

I do this on several firewalls.  It is pretty easy to do.

First, create the virtual IPs.  In my case, I have a /24 that I use most of for a round robin NAT pool.  I proxy arp these IPs.  The /24 is subnetted into smaller blocks so I can carve out the other IP's I need for other services.

Then just create outbound NAT rules.

Remember to set the pool options in the rule, such as round robin, RR w/ sticky address, etc…


Hmm.  After looking further, the 1:1 NAT appears to not be working, even without the bridge configuration.

For now, disregard this request.  I can create a new topic later if I cannot find a solution.

@doktornotor:

@muswellhillbilly:

According to MS it's to do with performance: http://windows.microsoft.com/en-gb/windows7/stream-your-media-over-the-internet-using-windows-media-player.

Ah of course, who gives a fuck about security, performance is much more important in the MS land; plus it's extremely excellent idea to steal standard HTTPS port for some media streaming junk.  :o ???

lol..so true!

I thought they had to match.  Learned something new today.

Do as you wish.

the phone should contact the server without any NATING on the WAN side ?

No, NAT is happening regardless.  The server talks to the phone via the WAN IP address, and pfSense tracks and translates that to the LAN IP address of the device.

Really need to describe your setup a bit more. It doesn't sound like you want or need to do any port forwarding here. But it's not clear what you're trying to accomplish.

Yes, it's definitely a Xen problem.

Now I have a giant question: how to have many and many isolated networks on the same Xen and pfSense interfaces? VLANs were the "traditional solution". Other than subnetting each server /30 with dedicated gateway, obviously…