• Dual Wan + Load-balancing + Lan + Sip Phone behind PFSENSE

    2
    0 Votes
    2 Posts
    984 Views
    R

    Hi

    for outbound NAT leave ports "ANY" not just "VOIP" alias.

    Should work.

  • NAT and local server web

    5
    0 Votes
    5 Posts
    1k Views
    S

    Ok thanks, now it works…but..one last thing

    i put the name of the server so works with  site.domain.local but no with site.domain.com.

    Thanks for all!!!

    Ante

  • [2.2.6] Another ActiveSync issue

    8
    0 Votes
    8 Posts
    3k Views
    R

    Again, when I publish the exact same environment (ie. just port 443) through TMG, without making any change to the Exchange setup at all, it works fine. My external URL's are setup to match the certificate and as such I can use OWA, ActiveSync and OutlookAnywhere when I publish it through TMG. Therefore I believe it's not in certificates or URL's. OWA is published through WAP as well, for Exchange only WAP is accesible from the WAN. WAP proxies the request to Exchange when preauthentication is used and forward it when no preauthentication is used.

    I'll fiddle around a bit and try to get some traffic captures. Thanks so far.

  • "Bridge" two remote servers together

    1
    0 Votes
    1 Posts
    735 Views
    No one has replied
  • 0 Votes
    7 Posts
    3k Views
    johnpozJ

    I wouldn't punch it on the server when you have a router/firewall that is designed to do that..  I would never forward to a server directly on normal lan where all your other boxes are, like I said I would put the server that is serving up stuff to the public in its own isolated segment from the rest of my network..

    So even if its compromised it would only have access to your other stuff in this isolated segment.

    "pfSense does nothing to help, the security needs to be server-side anyways"

    How is that??  When you can use the firewall on pfsense to only punch the whole to this server on the actual service ports and don't have to worry about something else listening that you didn't firewall at the host firewall, like say samba, or ssh or whatever..  If say your serving up ntp, that is the only thing allowed from inet to this box.  While it might also be running ssh or http, etc..

  • Use NAT for destination outgoing address translation

    2
    0 Votes
    2 Posts
    2k Views
    V

    @fmillion:

    The 1:1 mapping might be useful, but it seems like I'd have to add 254 rules to the table by hand - one for each possible IP on the 192.168.1.0/24 LAN.

    No. You can map a whole subnet with just one 1:1 NAT rule.

    E.g. if you enter 172.16.101.1 at External subnet IP and at Internal IP select Network, enter 192.168.1.1 below and select /24 for the mask. This way 172.16.101.1 will be translated to 192.168.1.1, 172.16.101.2 to 192.168.1.2 and so on.

  • For this having issues with Asterisk behind a PFsense NAT

    2
    0 Votes
    2 Posts
    2k Views
    G

    I don't do any NATs and I have an Asterisk PBX running behind pfsense just fine.

    The only thing I had to do was:
    1. Register with DuckDNS for a dynamic DNS setup.
    2. Configure pfsense to keep DusckDNS updated on what my public IP address is
    3. Configure Asterisk so that it knows its outbound trunk connection is being natted, and that the public IP address can be found by looking up xxxx.duckdns.org

  • 0 Votes
    9 Posts
    5k Views
    DerelictD

    KOM talking about the destination IP in the firewall rule, not the 1:1 NAT rule.

  • Port Forward to WAN on internal address?

    15
    0 Votes
    15 Posts
    5k Views
    C

    Got it sorted out.

    After working with my ISP, they explained that their equipment doesn't actually support bridged mode and they setup a DMZ sort ofand just call it bridged, and then they forward all traffic from public IP to private IP…when going through all of the settings, they realized they were forwarding the public IP traffic to the wrong private IP (the 192.168.20.33 IP) - they set it to the correct IP, and everything is working now.

    Thanks so much for everyone's help!

  • OpenVPN and SSL NAT

    6
    0 Votes
    6 Posts
    2k Views
    johnpozJ

    Are these servers listening on 443 in your dmz needed to be open to the public.. If not once you vpn you would have access with no need for forwarding.

    Keep in mind when you setup a reverse proxy behind your edge router/nat/firewall device like pfsense you need to make sure you don't run into a asynchronous routing issue.  This reverse proxy you use would most likely be best if on a transit network connecting it to pfsense, and then your servers behind that.  So not only does this reverse proxy need to proxy it also needs to route.

    Cleaner solution would be for sure to have another public IP to work with for your openvpn you want on 443.  Can you run one of these servers on a different port, say 8443 that you forward to 443 behind? And then let the port sharing of openvpn forward to the other server?

  • NAT to External Squid Proxy

    10
    0 Votes
    10 Posts
    11k Views
    D

    I figured this out (or so I think)…

    1. Set up squid (adapted from http://www.squid-cache.org/Doc/config/http_port/)

    Edit squid.conf

    modify the http_port direct to include accel and allow-direct.

    2. Add a port forward / destination nat rule (adapted from https://forum.pfsense.org/index.php?topic=39736.0)

    GUI -> NAT -> Port Forward tab > Add rule
    Interface: LAN
    Protocol: TCP
    Source: NOT <ip of="" squid="" box="">Source port range: any
    Destination: up to you
    Destination port range: from HTTP to HTTP
    Redirect target IP: <ip of="" squid="" box="">Redirect target port: <squid 3128="" port="">3. Add an outbound / source nat rule (adapted from http://tldp.org/HOWTO/TransparentProxy-6.html#ss6.1)

    GUI -> NAT -> Outbound > add rule
    Interface: LAN
    Protocol: TCP
    Source: Network / your LAN Net  ie 192.168.1.0/24
    Destination: <ip of="" squid="" box="">Destination port: <squid 3128="" port="">Translation: Interface address

    No separate interface / subnet for the squid box required.</squid></ip></squid></ip></ip>

  • External Site resolving to WAN & not NAT??

    7
    0 Votes
    7 Posts
    2k Views
    johnpozJ

    well your not going to be getting any mail once the ttl on your old mx expires since 25 does not seem open to your wan IP from my test.

    The owner of the IP has to change the PTR.

  • "Inbound hairpin" routing?

    7
    0 Votes
    7 Posts
    2k Views
    DerelictD

    Yeah.  I think about it like this:

    Port forwards translate destination addresses and ports as connections come into an interface.
    Outbound NAT translates source addresses and ports as connections go out of an interface.

    You usually only use one or the other but you can do both.

  • Teamspeak3 port forwarding problem

    3
    0 Votes
    3 Posts
    2k Views
    J

    I'm seeing this exact same issue, can't connect to team speak server from external.
    Internal is working fine.
    Any help would be much appreciated.

    I have 1:1 Nat from my external IP to my Web Server 192.168.10.120

    The firewall rules for port 80 to my web Server works ok

    2016-01-20.png
    2016-01-20.png_thumb

  • 1:1 NAT with Ubiquiti Restricted Guest Wifi

    3
    0 Votes
    3 Posts
    1k Views
    J

    @Derelict:

    Why are you messing around with 1:1 NAT? Just create an outbound NAT rule that uses the proper VIP based on the source addresses of the traffic.

    Duh… thanks. That worked perfectly.

  • No internet when creating 1:1 NAT

    5
    0 Votes
    5 Posts
    979 Views
    D

    Rebooting my Comcast modem solved the issue!  Thank you VERY much!  ;D

  • BT SIP Trunk Port configuration

    1
    0 Votes
    1 Posts
    2k Views
    No one has replied
  • Open specific port on all LAN ip addresses. Microcell Issue

    4
    0 Votes
    4 Posts
    1k Views
    G

    You don't need to do any port forwards for microcells.

    There is a bug where pfsense sometimes doesn't NAT outbound ISAKMP (udp/4500) packets if they are fragmented (they frequently are). To my knowledge, this bug has not been acknowledged by the maintainers (but then again, I haven't looked too deeply).

    My solution was to disable packet scrubbing, and delete the NAT rule for IPSec that is automatically created (you have to change from automatic rules to manual to be able to delete it).

    This thread: https://forum.pfsense.org/index.php?topic=103503.0 mentions other possible fixes which seem to contradict my fix.

  • ISSUE WINDOWS 2012 AS PUBLIC DNS

    8
    0 Votes
    8 Posts
    2k Views
    M

    @johnpoz:

    POA?  You mean SOA (source of authority) ?

    Sorry - wrote in a hurry and had a brief brain-melt. Yes - meant SOA.

    Some information on what forwarders your name servers are each using would probably help, too.

  • UPnP and Port Forwarding

    12
    0 Votes
    12 Posts
    16k Views
    kesawiK

    I had a play around with static vs non-static NAT port mapping for my son's xBox One. Under my current setup the only port forward I have is in on port 3074 for both TCP and UDP, and run a transparent proxy for HTTP traffic. With static NAT port mapping switched off it reports a strict network configuration and an open configuration with it on. Ran some packet captures and examined the states tables for both configurations. In both scenarios the xBox only generated the following traffic:

    DNS requests on TCP port 53

    Teredo tunnelling from UDP port 3074 to port 3544 on a remote sever

    Queries to TCP port 443 on several remote servers

    Queries to TCP port 80 on several  remote servers

    All originating  ports from the xBox to TCP 443 and 80 were all in the range 49916 to 49930, however I'm sure this range will increase when multiplayer gaming so unless I want to forward a rather large range of ports to the xBox, static NAT mapping appears to be the only way for it to work. I'd need to do some more packet captures under various usage scenarios to see if maybe I can narrow down the static NAT mapping port range to something smaller rather than all 65535 ports.

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.