Hi guys,

sorry i forgot to update this thread. Everything is working fine since i installed a new NIC PCI-E.

this topic can be closed.

You created a rule with protocol IPv6 and put IPv4 IPs in it. That's not valid. Fix or delete that rule.

I fixed the input validation last week so it's not possible to create such rules.
https://redmine.pfsense.org/issues/6211

I found that on: https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy#BSDPF

Use the PF ruleset below as an example for FreeBSD and OpenBSD prior to 4.7.

your internal interface

int_if = "fxp0"

Tor's TransPort

trans_port = "9040"

set skip on lo

scrub in

rdr pass on $int_if inet proto tcp to !($int_if) -> 127.0.0.1 port $trans_port
rdr pass on $int_if inet proto udp to port domain -> 127.0.0.1 port domain

Use the PF ruleset below as an example for OpenBSD 4.7 and later.

your internal interface

int_if = "fxp0"

Tor's TransPort

trans_port = "9040"

set skip on lo

match in all scrub (no-df random-id)

pass in quick on $int_if inet proto tcp to !($int_if) rdr-to 127.0.0.1 port $trans_port
pass in quick on $int_if inet proto udp to port domain rdr-to 127.0.0.1 port domain

My question is first wich ruleset i need? Prior 4.7 or later 4.7

And how i can add this rule to Pfsenes?

Thanks

Hello,

do you have find a solution because i need to do the same thing?

Thanks for help

You could bridge OPT1 to WAN and that would give you a non-NATed network with public IPs (assuming the WAN network is using routable public IPs) and you would still be able to filter the traffic with firewall rules.

I'm already accessing other cam that are not multicast compatible that way

Thanks :)

Okay, I believe i've resolved my problem but would like to hear feedback to see if this is an "acceptable" solution.

I created a Virtual IP on the  LAN interface and have all my internal app aliases (app1.mydomain.com, app2.mydomain.com, etc) resolve to this VIP. Then I'm setting the same NAT rule on that VIP as I have on the WAN which forwards 443 onto POUND (Reverse Proxy).

;D

I don't think this will work.

You need to do this port forward in your ISP router.

A specific port forward should take precedence over the "DMZ" host setting. This is generally how it works.

So put a port forward in your ISP router for WAN:443 to 192.168.1.100:443 and everything else should go to the "DMZ."

If your ISP router is no good, put it in bridge mode and let pfSense get the public IP address.

Isn't this what 1:1 NAT for?

Yeah you are right ip aliases on carp - i set the carp ip as parent and all is working as expected.

thanks

You need to open port 3074 for the first user, 3075 for the second, etc.

https://www.reddit.com/r/blackops3/comments/3rsw61/open_port_3075_for_open_nat_type/

OK, so i finally had some time to dig into this.

@johnpoz:

According to your state table pfsense sent the syn, but your machine didn't answer..  Sure that machine is actually listening on 3070??  Great you opened the firewall, but if nothing listing never going to work.

Oh man, that was it. These port checker websites of course assume there is already some application listening on the specified port. I tried PFPortChecker from Portforward.com (nice little tool btw.) and everything turned out to be working just fine :)

Thanks for your help!

I'm not sure about that, seems to be what you need. I was just explaining how to make a rule to bypass your Nat rule.

If you only want the proxy to be natted on port 80 then you can make that change in the outbound Nat section. By default PfSense will Nat the whole subnet.

Thanks Viragomann!  That was easy - confused myself because we have two WAN interfaces so I just added 4 rules.  I assume I don't need to worry about Default NAT rules in Sonicwall (only Custom) like default rule below when nothing is translated.

Orig Source: Any
Trans Source: Original
Orig Dest: LAN Interface IP
Trans Dest: Original
Orig Srv: Ping
Trans Srv: Orginal

Thanks!

Your automatic mappings have an overlap 192.168.50/23 overlaps with 192.168.51/24 why are both listed there?  I would switch to manual completely and then switch back to automatic did that clear the issue..  You shouldn't be seeing both those networks in there.

Thanks much Derelict, I will try what you suggest.
Thanks again.

You are SO right about that part!  Now that I just put none under upstream gateway for pfSense it now shows only WAN rules under the NAT.  Thanks so much for that!  I don't know why I had it like that.  Thanks very much for helping me!  I very much appreciate it!  I will test some stuff later and let you know!