your interface is lan - that is wrong.. Your forward interface would be wan!!

1:1 takes precedence over outbound NAT.

You are probably going to have to post what you have done instead of a description of that you think you have done.

We have a 2nd Static Block coming through same WAN (182.x.x.x /28). Not sure where to configure except as a Virtual IP which I have yet to do

Is that routed to an address on 70.x.x.x /28 or is it somehow on the same interface.

If it is routed you can do anything you want with it. Use it as VIPs. Put it (or a portion of it) on an inside interface, disable NAT, and assign addresses from it directly to inside servers. Route it (or a portion of it) somewhere downstream.

If it is not routed and you are not yet using it, I would ask them to change it. There are no downsides and lots of upsides to having a routed subnet.

Watch this and change rdp to http :-

https://www.youtube.com/watch?v=1LM6PdwSAaY

If your external ip address starts 192.168.x.x your ISP is handing out rfc1918 private IP addresses for your WAN so NAT would be taking place further up the chain.

Thanks for your help!

@viragomann:

Nothing. WAN net ist the subnet configured on the WAN interface, not the whole internet. WAN address is the WAN interface address.
The whole internet is "!(RFC 1918 networks)".

So add all the addresses you want to permit access to an alias and use this in a pass-rule as dest.

What about a script to change the Address Pool every X hours?  Then I can have 1 Subnet active per hour and rotate them through each.

I am on tmobile phone and it doesn't get an IPv4 any more just IPv6.

Mine too.  My cell carrier uses 464XLAT to provide IPv4 support.

Giving a school back in the day when internet first started a /8 was not forward thinking ;) heheh

Of course, that predated personal computers, tablets, cell phones etc.  The 32 bit addresses were intended only to be for a demonstration, with larger addresses when "officially released" at least according to Vint Cerf.

Hi Derelict,

Thanks for chiming in.

Yes, I was experimenting with the Phase2 settings and was able to make things work!  :)

Thanks again everyone for your thoughts and suggestions.

pfSense rocks!

Cheers,
Armen

Yeah. AT&T are idiots who do 802.1x authentication of their gateway, so you can't even buy a standard VDSL modem or hook up your own router to the ONT (Fibre)

Their IP pass-through mode still subjects you to NAT table limitations and that like, unfortunately. And I recall reading something about blocked ports.

I read something about extracting the certificate and the private key from the AT&T gateway with an exploit. Obviously not endorsed by AT&T though.

This looks interesting. I don't have AT&T so I can't comment but it might work. Don't know if pfSense has an ebtables equivalent.

http://blog.0xpebbles.org/Bypassing-At-t-U-verse-hardware-NAT-table-limits

Ok, removing the source port numbers has made mail flow, however i still get no mail to my android unless disconnected from the wifi…. Suggestions?

Also my computer tells me i have no internet access, in network & Sharing Center, as well as on my task bar??? I do have network connection, it just says i don't???


If the modem already does NAT you will have a private IP address on WAN. If so, you have to uncheck "Block private networks" in the WAN interface settings to permit incoming connections.

Also consider that you need to set a firewall rule to allow incoming traffic as well. This may also be done in the NAT rule by the "rule association" option.

Normally that happens when you are at full multitasking with just one core processor (head)…  :)

All the phones are on the same subnet with the voip server (192.168.10.0/24).  The voip server is static on 192.168.10.15.

That is same-subnet traffic. The firewall is not involved other than, perhaps, as a DNS and DHCP server. Probably going to have to be more specific about what is or is not working.

Glad to get it sorted out !

Thanks for your help dotdash