The easiest (and imo best way too) is to add a hosts alias with the IP adresses of the local audiocodes. Then enter this alias in the red field when running the wizard where it asks for VoIP. Calculate the maximum bandwidth your voipchannels could use (for example 4 channels at g711 is about 4*90kbit/s) and set this in the bandwidth dropdown at the VoIP wizard screen.

As it may cover the topic, I had problems with my old router and VoIP (United Internet), too. Problem was outgoing conections on random ports. But with pfSense and static port option in NAT, the problem disappeard automagically. The only thing you need is the one NAT rule mentioned and thats it. No Problems here anymore. Without any other software as e.g. the already mentioned proxies, you'll have to use a NAT rule.

Grey

This was fixed just a few days ago.  cvs_sync.sh releng_1 if you have a full installation.

@hoba:

Disable the outpost to see if it's causing the issue. What kind of WAN do you have? PPPoE? Other router in front of you? …

I tried to disable outpost now, and it was closed anyway!

I don't know if i have PPPoE (i have adsl2 from Bredbandsbolaget) I dont have any more routers, the pfSense is in the modem directly.

In my old router (Netgear WGR614v6) it's work to have open ports. So i think it is the firewall in pfSense?

ah ha! changed the rule to GRE and we're good to go!

cheers,
darren

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-routing.html

Cool, bump the green button if your issues are solved  ;D

Ha! Thanks to you another quick ggogle gave me:

http://unix.derkeiler.com/Mailing-Lists/FreeBSD/net/2005-07/0173.html

"Since windows sharing is generally a two way protocol you might find it
a little hard to work with NAT. The name resolution is one thing and the
RPC based authentication is another. "

Thanks, it's great to have a clear answer.  I'm going to try that VPN solution today.

@sullrich:

@sniffer:

@Sharaz:

im not sure why you would access something that is already on your local lan, via its external ip address?  (well i guess other than for testing).

1-To test external DNS
2-To test some rules (The rule are not the same via the Lan NIC and the OPT1 NIC)

But with proxy,  its possible to test it, but you have to search active proxy…

Thanks all for your answer

Has anyone stopped to think of the ramifications of this feature?  ALL traffic that would have been to the LAN would be sent THROUGH the firewall.  What good is that when you could simply run split dns and keep all traffic LOCAL?

Split DNS is possible if you have multiple IPs. I only have 1 and multiple servers on a VMware Server box. This is my home network and don't have money to spend for multiple IPs. So theres no easy way to seperate traffic to the same hostname on different ports to different machines without this feature. Yes you can go directly to the machine name, but for mail its a pain to switch back and forth when your inside and outside the network. Same with web applications that have hard coded address (Gallery is just one of them).

There won't be any change on the aliassystem for pfSense 1.0, but pfSense 1.1 is already under developement. The aliassystem has much improved already in 1.1 and work on it has just started. It's too early to promise anything but we allready discussed something like that in the past. Stay tuned  ;)

@ZGamer:

The problem is that when it creates them that way they cancel out each other and the ports are not accessible from the outside.

If you see a problem how about offering a patch?

I gave up getting it to work. What I did was set the dhcp server gateway in pfsense to point to the squid box. Then I just enabled ipv4 fowarding and created two iptables rules. Yes this puts all dhcp clients no matter what protocol or port through the squid box, but the performance hit is neglibile and will be outweighed by the caching effect. Especially for google maps and live.local virtual earth. All servers still point to the pfsense box as their default gateway.

If anybody wants to duplicate … I'm running fedora core 4, squid setup in transparent proxy mode.

Add/change the following line in /etc/sysctl.conf to enable ip forwarding.

net.ipv4.ip_forward = 1

Then just add the following iptables rules to /etc/rc.local

iptables -A FORWARD -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

The first rule says to accept and forward all traffic received to the default gateway (pfsense) otherwise aim, mail clients, etc wouldn't work. The second intercepts the http traffic and sends it to squid on the default port of 3128.

I also use the following script so I can make changes to squid and restart it without end users seeing.

echo "Stopping Squid Traffic Redireect"
iptables -t nat -F PREROUTING

service squid restart

echo "Redirecting Traffic To Squid"
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

This just clears the iptables then reinstates the rule after squid restarts. You can make modifications of this to stop squid, etc.

Ok, I got it working again. After hours and hours of trying differnet things and then re-reading CAREFULLY the topic of static-routes, I seem to have success.
I was trying to write a new outgoing NAT rule instead of just editing the default one that was already there. All I did was click the "Static Port" box.
I'm going to get some sleep now. Maybe. :)

:-[ Well, I feel stupid now - entirely forgot about the view file feature - Thanks for pointing it out :-[

blah, silly me… :)

thank you both, sullrich and cmb, for answers!

have fun
trip

@aldo:

when attempting to port forward the gre protocol it adds a port definition to the end of the rule with no port.
thus the rule fails to load.

Thanks, fixed in CVS, it should appear in RELENG_1 shortly

–Bill

So, I finally managed to get time to look at the problem. I installed BETA2 (leaps and bounds better than BETA1 in almost every area, thanks everybody!), and I'm glad to say that the static-port did the trick. Quick summary:

Enabled advanced outbound NAT, changed the default outbound rule to enable static-port. Reboot adapter. That's it!

I'm not sure if I still need the following rules on the NAT: port forward page:

WAN  UDP  5060 - 5061  192.168.0.9  5060 - 5061
WAN TCP/UDP 5004 192.168.0.9 5004

Will have to test that.

Thanks to everybody who replied, end everyone who has worked so hard to make pfsense better!

Erik

ok but the host is external not internal. oh well it does not seem to create a problem

Thanks for the reply!  I will stand by in anticipation  ;D
You guys are the best!

I added it to our "not ready yet but cool to have at some point" feature list. Stay tuned  ;)

If you are running on a full install issue the following from a shell prompt:

cvs_sync.sh releng_1 && /etc/rc.filter_configure

Then make sure the FTP helper is enabled for the interface in question (I am guessing LAN).

Also, if you are using a dual wan, then FTP will not work on the 2nd WAN.q

@sullrich:

Yes.   We are not geared for the same hardware.

If we where, what would be the point of the fork?

Makes sense, thanks again for the help. I'll swap the machine for a Pentium III with some decent amount of RAM and see if things improve.

We need to make our textx more interesting to ready, maybe some boops would help  ;D

Just double checking this, and realized I never posted a link to the ticket:

http://cvstrac.pfsense.com/tktview?tn=848

And to quote from System -> Advanced:

"Disables the automatic creation of NAT redirect rules for access to your public IP addresses from within your internal networks. Note: Reflection only works on port forward type items and does not work for large ranges > 500 ports."

The easiest way (without touching the config.xml doing a copy/paste and replace interface names) I can think of is to use the [+] icon in the line you want copy and then just change the interface name from wan to your optx. This works for firewall rules and for nat. however you have to click them trough one by ine this way but you only have to modify one dropdown for each rule.

after several times reset to default and recreate the rule at firewall.
also reconfigure my ftp server setting, download/upload is running smoothly.

thanks a lot…  :D :D :D

System -> Advanced -> Disable Firewall … but this will disable firewalling as well.

or

If you want to simply deactivate nat visit Firewall -> Outbound -> Enable advanced outbound NAT and then remove all rules for advaned outbound NAT.

I beleive that was explained here : http://forum.pfsense.org/index.php?topic=725.msg4419#msg4419

Can't.  I'm doing the utmost evil and running a beta release at a production site 3 hours away.  I can't upgrade until I go down there, not because it won't work, but because my sleep better at night knowing that I'd be there "just in case".

Don't worry, I'm going down on friday.

First, this is pfSense and not m0n0wall  :P
Second, I assume the clients at OPT are using another default gateway that doesn't have a route back to your LAN subnet vie the pfSenses OPT IP. Masquerading would fix that but could cause other trouble on the other hand. Adding a route at the OPT's clients default gateway would be the "cleaner" solution imo. If you reall wan't to NAT enable advanced outbound NAT at Firewall>NAT and add a mapping for LAN to OPT with OPT IP of the pfSense there.

problem with outgoing ftp. ftp proxy is enabled on wireless. and nothing else it is working
sometimes but is very slow and seems to stop working after about 15 minutes.

still am a bit uncertian as to where to start lookking in respect to this.

additionally pppoe clients seem to also have trouble with ftp as well.

Thank, I will try it.

Can you add "Virtual Server" in NAT? so easy to make a server-port?

:)

This is because of NAT reflection.  You have a few options.

Disable reflection in System -> Advanced

Change the webConfigurator port in System -> General

How can you fix this now?  Do this from the console ( Option 8 ) :

pfctl -d

Now login and do one of the above options.

Once you are done, run this from the console ( Option 8 ) :

pfctl -e

Please click, "Thanks, Solved" if this fixed you're issue.  Thanks!

I have portforward lots of times with diffrent versions of pfSense and have never seen that problem.

Could it be that you have configured it wrong some how?
Attach a screen dump of the portforward in question (an image says more than thousand words).

If you set it up this way, why do you need a firewall then?

Here is how it works:

(make sure first that your setup runs correctly with one real IP at the WAN interface, I'm confused by all the xxx in your IPs and all the /32 subnets. do machines from LAN get out to the internet and everything works fine?)

1. Add Virtual IP
If your provider doesn't need ARP-Replies for the additional IPs try other
If your provider needs ARP replies use proxy arp or carp. With carp you can easily add a failover machine later.

2. Create a 1:1 NAT mapping the virtual IP to the internal IP

3. Add firewallrules permitting that kind of traffic
Keep in mind, nat is applied first, then firewallrules.

Example: You want to have a Webserver running at a machine inside your LAN and want to have that reachable via the virtual IP
additional public IP (virtual IP) 123.123.123.123
LAN IP that is mapped to the additional public IP 192.168.1.100

Your firewall rule has to look like this at the WAN interface:
pass, protocol tcp, source IP any, source port any, destination IP 192.168.1.100, destination port http/80

Note that your firewallrule doesn't show the external IP adress but the internal one that is mapped to the external one.

Do this for every machine inside your lan that uses one of your public IPs.

[FIXED]

Uggg, At the moment, Im feeling really dumb.

It was my fault, I had the digi's default gateway configured for the old router before I switched over to pfSense.

Sorry about that.

No, it still does not pass email according to the rule in port forwarding in the port forward nat section. (does port forward work for outbound??)  On outbound NAT there is no pptp to choose from in the inteface drop down.  I guess this would be analagous to using squid and forwarding those packets somewhere.  Should I try editing the config file?