Sorry but if it does natting its not an AP… No matter what the manf might call it.. I agree they don't use the right terms.. calling shit modems that also do nat..  Its either a modem, a router or a gateway.  If its a gateway use assume its a modem/router combo.

Need to understand what the OP is wanting to do..  I doubt he wants to double nat to his wifi clients..  From what it looks like that would be a triple nat to the internet.

@deucalion:

the SIP SDP data layer still contains our private IP.  This will not work for our SIP trunk provider.

Unfortunately, it seems that ShoreTel devices can only be assigned IP addresses inside the private IP space.

From these two comments it seems that without a go between these two technologies are not compatible.

In your Port Forward definition (image 2) you must specify WAN address as the Dest. Address, not LAN address.  You need to configure it so that pfSense should forward requests from your WAN address to a LAN address inside.  The NAT rule defines where the traffic goes and the firewall rule allows it or not.

Er… dont' install the Squid package. The default firewall rules allow all LAN-to-WAN traffic out by default.

@G.D.:

Quick question: can pfSense do this, and what is the best strategy for configuring something like that?

Say, I have a whole public IPv4 subnet (with more than one usable IP) on the WAN interface. And I want to arbitrarily route different WAN IP and port combinations to different LAN IP and port combinations. So, a few simplified examples would be like follows (IP addresses are used for illustration only and any matches with real IP addresses are coincidental):

104.40.155.10:443  196.168.0.1:44301
104.40.155.11:443  196.168.0.1:44302
104.40.155.10:25  196.168.0.2:25
104.40.155.11:25  196.168.0.2:25

Sure. Port forwards.

In this example the 196.168.0.1 runs an HTTPS web server that serves two different non-SNI websites that are accessible on the two different IP addresses on the wan, but on two different port numbers on the same IP on the LAN. At the same time SMTP traffic on any of the WAN IPs is routed to the one other server on the LAN.

What is the best way to make something like this working? I was thinking Virtual IPs and Manual Outbound NAT…

Is the port 25, SMTP, example possible at all with pFsense? If not, I can multihome the SMTP server; but I still want to arbitrarily send different WAN IP:Port combinations around the LAN; in other words pFsense 1:1 NAT would not fit the purpose.

Thanks.

VIPs and NAT Port forwards. No problem forwarding different combinations of destination addresses/ports to the same address/port on the inside.

Outbound NAT is used to masquerade outbound connections. You might need something special there for the mail server, but it depends on the actual application. It all depends on the direction of the connection. For instance it would be difficult to treat outbound mail connections from 196.168.0.2 differently. You would have to do something to differentiate them like an IP alias on the host so the source address is different, etc.

(If 196.168 is a typo on the inside and you mean 192.168, don't use 196.168)

NAT reflection only reflects traffic matching the configured port forward. Where there is an upstream NAT device, traffic to your real public IP doesn't meet that qualification. That's true of everything that has NAT reflection.

Do you see any errors in the system log for that? Seems like you might be hitting this:

https://doc.pfsense.org/index.php/Upgrade_Guide#Microsoft_Load_Balancing_.2F_Open_Mesh_Traffic

HA! You got it…it is a NETGEAR CM600.

Anyway for me to determine the IP?  I had looked around a bunch!

No idea….  That sucks.

Anybody??

Thank you all of you that pitched in!
In the end the problem was in the Base Stations.
Apparantly this is a bug in the upgrade process of the firmware, too much stuff gets left behind.
The fix was that after upgrading a Base Station you should perform a factory reset on both the Base Station and the Handsets registered to it.
Then configure them both again and all is well.

For the people reading this thread that are in a similar postition these concern the XRS/RTX/Snom Base Stations and Handsets (all manufactured by RTX).

Thought you stated that when you go to ipchicket from your public wifi it shows the correct public IP.

My guess would be as it is suppose to do pfsense is caching the entries it gets from opendns on the filtered sites.  opendns does not respond with nx on something that is filtered it responds with a different IP for that record pointing to their block page right.

So lets say your looking for blockeddomain.com that on the public resolves to 2.2.2.2, but this is filtered in opendns to resolve to 6.6.6.6.  Now when someone from your public wifi asks pfsense for blockeddomain its say hey sure I have a cached entry for that 6.6.6.6

Are you using the forwarder or resolver?  I assume the forwarder if your forwarding to opendns, you could maybe use the resolver for your public wifi users and have overrides in it for the local stuff you need them to resolve.

Sorry was on my mobile last evening when i replied here.

The Gateway is only configured on the WAN Interface. You want to add an OPT Interface for each additional IP and configure them as normal but with /32 mask for each IP and with no gateway set. In the VM Settings within ESXi you set the MAC addresses accordingly on each interface.  Do not use the MAC spoofing feature within pfSense, we had issues with that.

With that setup the traffic of your additional IPs should origin from the according MACs and the switch of your ISP should be happy.  We had this setup running for about two years without any issues.

Some specifics of things with PPTP are unreliable on many things. But port forwarding the TCP 1723 and GRE is no issue. Connecting out to a server from a single client also no issue.

@Cq171d:

Oddly, once I removed that rule it was still accessible until I eventually restored from a previous load.

One thing a lot of people don't seem to quite grasp is removing a firewall or NAT rule will not yield instant results, especially with stateful connections (e.g. TCP). You will have to reset the states in Diagostics > States > Reset States which will kill all connections coming/going through the network and cause the system to re-evaluate each connection as if it were a new one against firewall rules.

Hi farion

Your dropbox-links are annoying, because they are no longer available - and therefore other users can not benefit from this post: your pictures are missing now :-(

It would help if you just attach pictures to your posts as other users are doing.

Thanks a lot in advance,
kind regards,
Tom

That port alias bug will be fixed in 2.3.1_2.

Figured it out. Was the NAT 1:1. Need to set the Translation to the correct static IP. All is working now. Sometimes just laying it out pulls out the answer