Regarding my "hack", today I noticed that the dyndns.update cron-job failed for IPv4 with my cloudflare "clients", the RFC 2136 "client" had no problem with IPv4.
I then removed the virtual-IP, only had 18.104.22.168 in the UPnP & NAT-PMP Settings and dyndns.update is working again and UPnP is still working!
So the only thing someone has to do is to put in some random public IP in Override WAN address in the UPnP & NAT-PMP Settings, to get it working behind a private IP?!
Is it so easy?
No need for a STUN Server and all this nonsense??
I really don't know, why (mini-)UPnP needs to know the public IP in the first place.
Yes, the Openvpn makes a routes at A for 192.168.110.0/24.
But i think the problem is at B, because i cant see any trafik leave the OpenVPN interface connected to A, when i ping a host at 22.214.171.124/20
I said from the beginning that I wanted to replicate the configuration I had with my pix as the netgate act a replacement.
That isn't an explanation for the reasoning behind the method. I understood you wanted to make it the same as what you had before. That's not hard to understand. The question was 'why do you want it that way?' What problem does this solve? That's all.
All my configuration is based on that and despite the fact you disagree, I want to mask my internal network for things such honeypot for example.
I don't necessarily disagree when I don't know all the details. That's why I was asking. You said earlier that you wanted to mask your network but I didn't understand the context nor did John. Usually a DMZ is completely isolated from LAN which is its entire point, and any required access is strictly controlled via rules. It's unusual to have a DMZ that needs to talk to LAN so much.
It's not because you do not understand the usefulness of what I want it's illegal.
I'll definitely admit that I don't see the usefulness of what you're doing.
And such a supposition is quite surprising.
I said what I wanted to do, you just don't listen.
No, you said things like 'mask my network' and 'several reasons' but you never actually gave any specifics. Two of us were confused so you weren't as clear as you think.
1- reproduce what I had before just not to have to reconfigure everything
2- mask my internal network because I don't want people to be aware of it.
Got it. I don't know how that would help you though. Yes, I understand that you are going to keep it this way and I have no problem with that. I'm just curious. How would people who interact with your DMZ be aware of what's on your LAN? Someone who cracks one of your DMZ servers will see what it's talking to and try to exploit that regardless of its DMZ vs LAN IP address.
But still you're pushing over and over because it sounds overcomplicated for you but at the very end it's my problem if it's overcomplicated, right?
It doesn't sound overcomplicated. It sounded like it didn't make any sense. I was asking for details because I thought I was missing something.
I've never seen such aggressive people about simple tech questions, really I don't understand what you are trying to do there.
Every single day here, new users decide to do something using an incorrect or sub-optimal method and then they ask specific questions in order to reach their bad end instead of asking for the best way to do something using pfSense. I thought that is what you were doing so I asked questions trying to determine what problem you needed to solve.
I've started eluding your queries because I had answered them and didn't want to go in an argument fight and having to justify my setup.
You make me feel I want to pack back my netgate and return it.
This has nothing to do with Netgate.
I've worked with Cisco, Nokia, McAfee, checkpoint firewall and never seen such agresisvity from a tech community.
I'm starting feeling your are acting like that because you've seen I'm a girl and think I don't know what I'm doing.
Don't make me think it's just a misogynistic behavior.
How would I know you're a woman, and why would that matter?? My entire knowledge of you is from this one thread.
That's said, I'm not doing anything illegal, i just wanted to reproduce my Pix configuration to simplify my life and don't have to reconfigure every service I'm using and that's all.
Understood. Thank you for making it clearer for me. I think this has been one big misunderstanding and I will not trouble you again.
@peterlecki The interface was not given the whole block. It was given one interface IP address and a subnet mask.
It is up to the administrator to assign IP addresses if it wants the firewall to respond to ARP requests. In many cases it is desirable to not respond to ARP there, especially when using routed subnets.
Do you mean that I can do some config in pfSense to get the IP A (second WAN) port forwarding function?
As I mentioned, it depends on the capabilities of the router in front of the WAN interface. I don't know it. If it does masquerading incoming traffic it should work straight forward.
Some consumer routers do this by default.
Masquerading means that it translates the source IP of incoming forwarded packets into its own internal IP (also known as SNAT). This is what the outbound NAT does on pfSense.
@johnpoz Thanks again for the post. I upgraded to devel 2.6 and tried it. Traffic on the FW is passing with green check marks, it doesn't seem to be working. In fact, my hybrid NAT with the rule I have in place doesn't work either as in the previous version AND on top of that, I re-enabled the LAN rule I had where it would make that host's IP use the secondary gateway that was working...and it is now NOT working.
** Edit: The LAN rule must have taken a minute, it is working now BUT still same problem. It no worky with secondary WAN like it says in the redmine post
Truly and enterprise product. SMH
The folks on the redmine post that think it is working in 2.6 devel aren't correct because it's clearly not working.
I just looked in the games forum seems this is raised alot. Might read through the threads in there as seems some have it working on the Xbox thread so may work with mine. The game is modern warfare and the game I play is cold war but all the ports are the same so should be the same outcome. Now to find time and dust off my router lol
The failure of that bug is that pfSense is sending reply packets ever to the default gateway. So if you're on CE 2.5.1 and the DSL modem is not the default gateway, you will be affected.
but if i connect to the LAN of the DSL modem and try i.e 192.168.2.2:80 it works as it should
When you're in the DSL modems LAN and access pfSense, replies have not to be directed to a gateway.
This also means, that you can do a workaround by masquerading incoming packets on the DLS router if it is capable of this function.
How would 10.41.1.1 ever see your public IP as source? Other than the IP to create the vpn tunnel. Traffic inside the tunnel would look likes its coming from whatever pfsense gets for its tunnel IP after creating the vpn.
For you to use your downstream network like that - would have to be setup. the network on the other side of the vpn would have to know to route traffic down the tunnel to get to your 10.36.45 network..
So your natting on pfsense to this 172.21.36.2 address now? If you don't you have the ubnt setup to route this traffic via your transit?
@j-sejo1 If I have to pay , I'm going Untangle all in. I got also the Sophos option but is not my favorite currently.
But indeed I can't run service in a playground environment. Production or home stuff. I need less features but reliability from a firewall ,
We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.
Subscribe to our Newsletter
Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.