Solved:  Turns out that sometimes if you go through the setup too fast you can end up setting the LAN interface as the default gateway …  Fix is deleting it from System: Gateways.

Thanks phil, I was not aware of that.

I am thinking squid was not the problem anyway, as I had the reverse proxy turned off, and I don't think the web cache part of squid binds to an http port, but I could be wrong on that.

My web services are still up, I don't have a clue what happened.

Could you post a traceroute screen shot from one to another?

From another post where someone got it working, so I thought I would ask here.
Is the Windows firewall disabled?

Check the source. You probably have a routing issue resulting from not NAtting the original connection. Just a guess though. I would perhaps try a 1:1 NAT instead. Then again, I have never tried something like that with pfSense.

Maybe a problem with your PASV mode settings?  Typically FTP over NAT needs PASV mode with additional ports set up.

@jswj:

You welcome, Michael.

Also, I play around a little bit with Packet Tracer to simulate your situation, I hope this is what you are looking for:

Like I was mentioned before, you need to sort out routing on each device, specially on the Layer 3 switch inter vlan. The configuration above works ok, from the PC on each VLAN are able to connect up to the MODEM WAN interface. Do not mind the right side of the modem, as I only try to pretend that the WAN side is the internet.

Dear Julius ,

Once again thank you for your time and your reply .
The problem believe me in not the cisco devises !
I can configured them to do whatever you  want .  Routing with any protocol you want , swiching at any level  , pbr , sla , etc ….

my problem is with the pfsense box ...  it doesnt make any sense at all ! i am able to configure an asa in 5 minutes , and i cannot configure the pfsense just not to do nating the whole week . xa xa xa xa

it is ridiculous .

Anyway once again thank you for your time .

DHCP in settings for host-only adapter is turned off, but it is on in pfSense, yes. I will try to play with that when I get some time (day or two) and see what comes up…
Thanks for your help till now, I'll report results.

edit: yes, you were right, two host-only interfaces were the problem...thanks again

Have you created firewall rules specific to the ports / IP's you need to access ?

Did you create a virtual interface ?

Aside this why could you not simply access the modem via IP

Doing this seem futile unless you have more than one public IP then you'll need to create a 1:1 nat or otherwise.

Hi,

I have the same problem, I searched the forum and there is some info but not a precise way to solve this issue.
What I cannot understand is the reason why there isn't a way to add this feature " clear all states when WAN IP recover" officially

However, if anyone has news on this it will be appreciated.

The only topic I found that's interesting, but I have not tested the solution yet, is this:

https://forum.pfsense.org/index.php?topic=65004.0

I don't know if this can help

after making any changes, there should be a button on the top saying "Apply Changes".

you need to set up forwarding the port number of ekiga to you ekiga server, which I believe its inside you LAN.

as you already have the list of ports, go to the NAT page, on the port forwarding set as follow:

rule 1:
source: any
port: any
destination: WAN Address
ports: 5000-5100
type: udp
destination: ekiga LAN IP
destination port: ekiga port 5000-5100 UDP

rule 2:
source: any
port: any
destination: WAN Address
ports: 3478-3479
type: udp
destination: ekiga LAN IP
destination port: ekiga port 3478-3479, udp

rule 3:
source: any
port: any
destination: WAN Address
ports: 1720
type: tcp
destination: ekiga LAN IP
destination port: ekiga port tcp 1720

Client DNS IP should point to the gateway address as well, this in turn pfsense will have dns forwarders to resolve the FQDN.

Set auto outbound NAT and disable/remove all nat mappings, also remove static route entry. Make backups of the current config before trying.

I have similar setups set on auto nat, no nat mappings, no static routes, only WAN has gateway. On each LAN interface firewall rules are to allow all traffic generating from the LAN subnet to any destination, tcp and udp, any port.

I have reconfigured the Asterisk server to include both "externip" and "fromdomain" values, this did not make a difference.

I think the issue is with pfsense and how it's handling the 1:1 NAT. In the states table I see the following.

SIPProviderIPAddress:5060 <- InternalIPAddress:5060
InternalIPAddress:5060 -> CARPIPAddress:5060 -> SIPProviderIPAddress:5060

I suspect that the CARP not being seen in the state for both directions of traffic is the issue here. Is there a way to force all traffic using the CARP IP to use that IP in both directions and have it shows in the states?

The other item that may be an issue is the Single:Multple and Multple:Single under the "state" column. If I can sort out how pfsense is delivering a class C IP to the SIP provider and get it to send the CARP IP I want to use I believe this SIP / Asterisk setup will work without siproxyd.

Any takers? Bueller? Bueller?

anyone?

@phil.davis:

Will a NAT 1:1 on packets arriving on LAN for the external VPN IP, NATing them to the internal VPN tunnel work?
That should not break pfSense itself getting out and establishing the VPN link.

OK. I've got it to work by adding a Port Forward as follows:

Interface: LAN
proto: UDP
Src addr: *
Src ports: *
Dest addr.: external address of endpoint
Dest. ports: 1-65535
NAT IP: 192.168.22.1
NAT Ports: 1-65536

I've added a similar rule for TCP (adding a TCP/UDP rule didn't seem to work somehow) and also for ICMP.

regards
Peter

For others that are curious, while you're on Automatic Outbound NAT, you can see the automatic rules using Diagnostics > Command:

On pfSense 2.2 the automatic rules are listed even when you're in automatic mode so that won't be necessary.

Unless you are pushing more than 300MB/s I don't see how it would be CPU intensive at the firewall level. I could see how Video Conferencing could open a lot of states. If you are at a colo or Datacenter, you are probably going to have to use server class system for high bandwidth and state handling. What did they try it on before. At lot has changed in 5 years.