@kaotiklabs:

Seems a good idea but RTSP seems a tricky protocol and I dont really know if its possible.
which kind of proxy should I use? must be an specific one for rtsp?

There are plenty of proxies if that's the route you want to take. HAProxy and Pen are two I can think of off the bat. Or there's ZenLoadbalancer if you don't want to do too much command-line work. I've used proxies for web traffic, ftp and even SMTP traffic so I would think it could handle RTSP, though I haven't tried it with that specific protocol before myself.

I'm surprised it let you do this. 192.168.0.0/24 and 192.168.0.0/18 overlap, a good router should balk at this.

/18 is a 2/6 split of the third octet, IOW 192.168.0.0/18 is 192.168.0-63.x. You have a really big network there, 16K hosts.

If you really want a /18 and want to use 192.168 for it while keeping 192.168.0.0/24, then you should make it 192.168.64.0/18.

It's all in here: https://doc.pfsense.org/index.php/Upgrade_Guide

And how its it going?  Where you dont use the same network on both sides and just let pfsense use its own network behind and nat?

Hi.

Yes you were right. The 1:1 NAT made that the pfSense map the traffic with the IP of the NAT.

Instead I use a port forwarding from a WAN IP to a LAN IP, and a outbound rule to the IP address of the WAN interface.

;D

Thank you for your help.

Have you been looking at the trafficflow using tcpdump on site B to see if requests reaches the server and what happens when the server responds ?

Syntax in shell: tcpdump -i LANIF -n host externalclient

Where LANIF should be replaced with whatever interface on pfSense your server is connected to and externalclient replaced by the IP of the client on the internet trying to reach the server.

If you don´t see any responses from server here, then try to change LANIF to what corresponds to your WAN interface and try again.

If so you might have a case of what is called asymetric routing, ie. client on the internet surfs to your public IP on site A, traffic flows over to site B though IPSec and eventually reaches server on site B. The quirk is that server on site B cannot find the client IP in any routingtable except default route and that points out through WAN interface of site B.

In that case you´ll have to rewrite the sourceaddress at site A.

I think you're right. I've been watching the logs and everything looks good now. I think there was an alert that triggered the blocking of the SIP provider which also caused further traffic to be dropped. I'm not sure which rule caused the blocked at this time but I am keeping an eye on it. I tried whitelisting an alias which contains a list of IPs that we frequent but snort throws a fit with the alias whitelisted.

Anyhow, it seems to be working atm, but I am watching it. Thanks for replying.

If you have the ability to switch it to bridged then that's the preferred solution over double-NAT anyway.

Rtp needs open ports for the return traffic.  Rtp.conf on the asterisk server is where you can define a range of ports to use such as UDP 10000-20000 . Then in pfsense create a WAN rule allowing the range in to your asterisk server.  This is in addition to 5060 for the SIP session and the NAT rule.  If both sides are behind NAT you will need a STUN server to assist with the connection I believe.

http://linuxjournal.com/article/9399

@KOM:

Thanks but I'll keep playing with the other two for now.  LibreOffice Draw is already on my home box and it seems to do the job.  Getting decent network image templates was the stickler, and the VRT stuff seems good enough to me.

LibreOffice Draw + VRT is what I use for the diagrams in the pfSense book (now, as I'm updating it), and other places like the Hangouts. Not sure if I've moved any over on the Wiki  yet. They are nice shapes with a permissive license so there are no concerns with using them in published diagrams, too.

LibreOffice Draw has lots of room for improvement but it's not too bad these days.

No you do not need to remove the auto..  You need to make sure that the webserver talks back out the same IP it came in.

Haha yes. I think i dodged a bullet here :o

"exampletwo.domain.com that needs to go to 10.x.x.x/user/service"

Sorry but firewalls don't do that kind of forward… A reverse proxy could do that sort of forward.. Use a reverse proxy package on pfsense if that is the sort of thing you want to do.

It appears someone was able to accomplish this 9 years ago, but the instructions don't translate well to the current version.

https://forum.pfsense.org/index.php?topic=4225.0

Has anyone been able to setup a transparent proxy on pfsense that forwards traffic to an internal squid server but preserves the source IP addresses?

Have a look at /index.php?topic=106305.0, particularly sections 9 and 10.

Thank you for responding.

Now I need a little help to get my head around how I would configure that in.
Would I construct a series of rules like the following using what I wrote in my original post

Block not 79.135.125.0/24 destination xxx.xxx.xxx.xxx
then
Block not 87.238.72.128/26 destination xxx.xxx.xxx.xxx
etc
then last would be the NAT which would anything to xxx.xxx.xxx.xxx port 5000

Tried the above and to see if it worked. I removed the NOT tick so as I understand it then traffic should have been blocked  the address blocks.
However, I found that traffic was getting through on the final rule/nat. I had the rules listed such that the block rules were before the NAT rule.

So I am missing something so can you please clarify your post.

Moving from IPCOP to pfsense has been relatively trouble free apart from this issue.

Your doing it wrong is all I can say..

Your shared printer doesn't show any issues with nat..

"except that there's one network printer and no need to buy another, so it's given a mapped IP that allows it to appear as 192.168.1.2 from the "home" and also as 10.1.1.2 from the office."

Why do you need/want to nat between these networks??  Please give one actual logical reason why you would nat between these 2 networks..  I have multiple network segments in a home..  Why would I nat between my segments??  Why in the world would I have to map the printer to 10.1.1.2  When I can just access it via 192.168.1.2 while creating firewall rule..

Please give an example that actually makes sense where you question comes into play..  There are millions and of networks available in rfc1918 space.. For what possible reason would I nat those in the same location..  And if the same space is being used remotely or even lets call it the same building where you happen to use 192.168.1.0/24 and someone else used 192.68.1.0/24..  Why do we need to talk and how are we talking - there would have to be a transit network between us.

So you freaking nat their 192.168.1.0/24 to 192.168.2.0/24 or any other space available in 1918…  Or one of you change your network would be the better idea..

Your question is a non issue because you can not give an example when it would ever come into play that would make sense... Your outbound rules manual come before auto, and manual can be adjusted.. Where exactly is there a problem??  This is outbound nat keep in mind, not inbound.  Your natting your clients behind your interface to your interface when they go out that interface.

You have two WAN rules both duplicating a forward to port 35060. From what I can see on your NAT rule table, one of these should be 5060. Your NAT rule is doing a port mapping from 5060 to 35060 internally, but your corresponding WAN firewall rule isn't specifying the correct target port.

Huh? What? That's totally… rereads OP

:|

lol whoops.

Any Windows or Linux client will have DNS query tools available. So connect one to your LAN and run the nslookup/dig command I mentioned earlier. Target an external DNS server in your query to see whether you get a response. If you can ping 8.8.8.8, for instance, but don't get a reply when running 'nslookup www.google.com 8.8.8.8' then I would look carefully at your firewall rules. If in doubt, post them and maybe someone can help further. Otherwise, I think we've just about exhausted all possibilities at this stage.