Why is the ISAKMP (IPSEC?) on port 500 created?

IPsec passthrough clients are much happier with static source ports.

Pfsense 1 has a route to pfsense 2 with openvpn. Each one is its own default gateway.

I can send pfsense01 of internal packages for pfsense02 through VPN normally. The problem happens when I try to send these packets through a NAT rule over the WAN pfsense01.

I sent a message with te server routes.

Thanks!!!

Next time it stops working, filter your states under Diag>States for the SIP server's IP:5060. Keep a copy of that output. Then reset states. Get the same state filter and save that. Post both those so we can compare.

@Kedryn:

What i still didnt manage do to, and was working with previous firewall software, is that when a machine in my LAN tries to access, for example, nas.myfirm.priv, that is 192.168.160.4 in the DNS, it has to be redirected to the LAN ip of the 1:1 mapped WAN addrest. For example, i was mapping outgoing  calls to 192.168.160.4, from LAN to WAN doing an 1:1NAT  to 10.0.0.4 (nas ip in LAN). How i can do the same with pfSense? No, split dns is not an option this time.

You have to set the NAT reflection option in the NAT rule. However, I don't use it in 1:1 NAT, so I don't know if it works properly here.
See also the NAT reflection settings in Advanced > Firewall & NAT

@Kedryn:

Another thing i'm still trying to do, and its similar, is redirect calls from LAN to an external ip (for example 8.8.8.8) to another external ip (for example 8.8.4.4. I know, its only an example) transparently.

Just set up a NAT port forwarding rule. But if it should be really transparent, so that the respond comes from 8.8.8.8 you also need an outbound NAT rule for the LAN interface in addition to translate the source address in the respond.

@Kedryn:

There is one more thing i was doing and i'm not able to do right now, but i dont really know if it was "legit", and maybe even if it was working, i'm not sure if it was causing some of the problems i had with past firewal, and it's this:
I was , with NAT and 1:1 nat, re-routing traffic from my LAN to the 10.0.101.0/24 MPLS wan, to let my LAN machines reach a couple of machines in the other LAN. And i was doing in this way:

machine to reach: 10.0.101.1
LAN client calls 10.1.101.1
Firewall remap outgoing call 10.1.101.1 to 10.0.101.1 forcing to use the WAN gateway.
It was workin.. LAN machines could reach RDP and SMB on the other machine in another site calling 10.1.101.1.
I then had several problem with the firewall itself stop responding randomly to clients on both sides of the network, but me and support didnt manage to pinpoint the problem, so i moved from that product to pfSense. I'm not a real pro in networking, and maybe what i was doing was wrong. Anyway, there is a way to accomplish that with pfSense?

So you want to route a part of LAN subnet to a gateway on WAN side.  ::) I can believe that this makes trouble, presumably also with pfSense.
You can try a static route, but I'm in doubt…

Fantastic!  Thanks.

Hello,
Thanks for your answer.
I think i could not explain my problem sorry for that.
I need to monitor user's log like :

Host/IP        Visited Sites      Time        Bytes / So on
10.0.0.15    yahoo.com        10.10am  56.6

also software has ability to compile reports on demand for specific Host/IP.

i want something like that.
Thanks.

NP, glad you got it sorted.  Chalk yet another Port Forwarding problem to PEBKAC ;)  In the whole time I have been here, I don't think I have actually seen a problem that was not PEBKAC… So don't feel bad, your not the only one that has issues with something that should take like 2.3 seconds..

As I posted, many port forwards are just clickly clicky worky worky.. If it doesn't your doing something wrong, wrong port, wrong IP, traffic not even getting to pfsense, software firewall on the place your forwarding too, etc.

The troubleshooting doc touches on all the common mistakes/issues, and points to how to find the source of the problem quite quickly when the clickly doesn't work.

https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

What link?  And if your saying it works when not behind nat.  Then clearly its the device in front of pfsense causing you your grief.  I don't understand how it would work with your misconfiguration of the IP and network your giving your clients.

Don't use nat would be my suggestion ;)  What is doing that nat in front of pfsense?  Do you have the pfsense wan in a DMZ host sort of setup, or are you forwarding what?  Ipsec likes that port 500 to be static for example.

Sounds like you had everything right. The only other thing I can think of is if you had bunk IPv6 configured, so the system thought it was v6-connected but isn't. It'd prefer v6 in that case, and currently doesn't fall back to v4. Can set v4 as preferred under System>Advanced, Misc if that's the case.

I set the NAT rule to "pass" and its working. I'm not sure what that did but it works. Thank you!

See attached screenshots.

My LAN subnet is 172.16.9.0 - WAN1 Local Network
My DSL_LAN subnet is 172.16.20.0 - WAN2 Local Network (This is already the LAN for WiFi Users)

WAN.png
WAN.png_thumb
LAN.png
LAN.png_thumb
WiFI_LAN.png
WiFI_LAN.png_thumb

BUMP?

I guess my real question is would it be possible to have 2 LAN IP using 1 VIP (WAN)?

https://forum.pfsense.org/index.php?topic=82732.msg453269#msg453269

Thanks guys.

I kinda figured that I was attempting something not doable. Kinda glad too, 'cause if it were possible I would have had to completely rethink what I think I know about IP.

I hate to use up public IPs just so I can occasionally get to these hosts (rarely used management PCs) so I guess a VPN is the way I'll go. Thanks for the input.

most likely the same as last time..  did you go through the troubleshooting doc?

https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

@cmb:

Where you see nothing at all for that IP in a packet capture on WAN, not even ARP requests, it's a problem with your modem most often with cable, otherwise something to do with your ISP. If the VIP weren't actually configured or triggering an ARP response for some reason, you'd see repeated incoming ARP requests on WAN "who has x.x.x.x" for the IP in question, with no replies, when you're sending traffic in from the Internet to that destination IP. No point in digging into the VIP when there is nothing at all for that IP on WAN, as you know 100% for sure the problem is upstream.

Hello Community,

I know this is an almost a year old thread but we never got it resolved unfortunately.

As cmb suggested, it might have been an issue with the provider's modem but we were able however to test these IP addresses when connected directly to Comcast modem and all of them worked fine. As opposite to what we can use on pfsense:

Here is a list of which IPs work and which doesn't:
xx.xx.xx.241/28 - pfsense WAN
xx.xx.xx.242/28 - WORKS
xx.xx.xx.243/28 - DOESN'T WORK
xx.xx.xx.244/28 - WORKS
xx.xx.xx.245/28 - DOESN'T WORK
xx.xx.xx.246/28 - DOESN'T WORK
xx.xx.xx.247/28 - DOESN'T WORK
xx.xx.xx.248/28 - DOESN'T WORK
xx.xx.xx.249/28 - WORKS
xx.xx.xx.250/28 - WORKS
xx.xx.xx.251/28 - WORKS
xx.xx.xx.252/28 - WORKS
xx.xx.xx.253/28 - DOESN'T WORK
xx.xx.xx.254/28 - Comcast Gateway

As stated above, there is no incoming packets when checked by Packet capture.
Every IP is an separate entry on Virtual IPs tab - this seems to be correct for another subnet we have with different provider.

What else could I try checking?

Thanks for your pointers everyone. Everything is working fine now.