i really appreciate ur reply,

but in my situation now, i realize network have enough traffic transit each other, so i replaced sw L2 to sw L3, and Sw L3 do something else in other enviroment

but now i have other issue, can u help me johnpoz ?

https://forum.pfsense.org/index.php?topic=94928.0

still double nat for other service

thank you again

Is Port Forwarding + NAT + FW Rules all required for specific protocols to properly traverse the FW?

If I have a static WAN IP for my mail server I would setup a NAT for routing the traffic back and forth. Do I have to them setup Port Forwarding for Imap,SSH,SMTP… And then setup appropriate FW rules. Or can I just do NAT and FW rules - do I have to do port forwarding?

In the pfSense environment you implement port forwarding by going to Firewall->NAT->Port Forward and create the forwarding you need.
Once you click Save and Apply Changes, a new rule is also created under Firewall->Rules on the interface you selected in NAT to allow the forward.

You can chose the protocol(s) you want to allow in NAT and the port for source and destination.
You can create port aliases and use them in NAT, although that's typically only useful if the source and destination ports are the same.

For 3 or four services you want to handle, it's probably easier to create individual NAT entries.  It will definitely make it easier to troubleshoot firewall problems if your traffic isn't all tied into one rule.

Gives you more flexibility in the future as well.

You can get a description of any of these pfSense pages by clicking the ? in the upper right corner of the WebGUI page.

Welcome to pfSense  :)

Hi thanks for the reply the diagram attached is what i want to achieve i realise that i dont need to directly tie the virtual addresses to the physical nics as they reside on different subnets for WAN and LAN but i need to know how to route traffic through the firewall between the 2 subnets and use the pfsense as the LAN's default gateway

Drawing2.jpg
Drawing2.jpg_thumb

No, no such configuration. It won't select any random port on your behalf.

https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

I havent got time atm, I'm running some other tests at the moment to check the state handling in pfsense 2.1 and 2.2, they are bit time consuming as the schedule only allows 15min increments so I cant set say a 5min time span with state timeouts set to aggressive (if thats below 5mins).

@dotdash:

Curious as to what's wrong. I just took a fresh 2.2.2 box, connected the wan to my lan (double nat, but this is just to prove a point), stuck a laptop behind it.
Laptop get dhcp, on the net, all good. Then I added a CARP VIP of .90 on the LAN (remember to use /24 subnet).
Changed laptop to static ip, set the gateway to .90 all good, on the net…

Based on this, I did a Factory Defaults reset and it works now. I going to assume I borked something when trying to configure something else.

Thanks!

Do you need to RDP to multiple lan windows boxes behind the fw?

If you do, then on pfsense have different ports open on pfsense with a portforward rule which goes to the LAN ip address and the RDP port

Then internet side use in the RDP client
IPaddress:Port1  where port1 portforwards to your server RDP port
IPaddress:Port2  where port2 portforwards to your sql box RDP port.

You can also change the default port the RDP server listens to on the window box, by tweaking the reg settings as well if you like accessing mutiple windows boxes from inside the lan at the same time.

Then provided you can RDP onto the windows box in question from inside the lan, the pfsense portwards should work ok.

If you want to hide the fact you have (multiple) port forwards setup for RDP on the internet, setup OpenVPN on another ip address range to get you inside the lan, then change your pfsense portwards from wan to openvpn. The less you expose wan side the better imo.

Both work well and gives you a way to have multiple RDP clients open at the same time to multiple window boxes on a lan. Of course having multiple RDP clients open at the same time is also easier if you have multiple monitors as well if you need to work on server(s) and workstation(s) at the same time for testing purposes without having to wait to log in each time or be alt-tabbing between multiple machines.

fwiw.

You need a rule to pass traffic to the VPNs that doesn't policy route, above any matching rules specifying a gateway.

Ok Thanks very much doktornotor.

I prepare a post for the spanish forum.

Thanks for your time.  :D

I managed to come right, thanks for you help.

Make internal DNS return the internal IP address when asked to resolve from LAN.

So you say in 4 you created port forward and let it create the associated rule.  Then in 5 you say you created a new rule with

Destination: "Any"

That is not correct why would you create a rule with any as dest on your wan??  When you create a forward, by default pfsense will create the required firewall wan rule to allow that nat/forward to work.

Post up your wan rules and your port forwards.. And we can see have exactly..

Hi Kom,

Thanks for that, I changed that and it still didnt work. Then realised the backup box had no gateway on its private interface setup.. Gave it 10.10.22.1 as a gateway and it now works fine. Thanks.

ugh, make me manage a split DNS system instead of being lazy cuz it already worked!! Makes sense if you are moving a lot of data but for small stuff, meh.

At around 4:00AM Thursday something happened to the configuration and now I'm seeing an even weirder issue. I cranked up the amount of diffs to keep in config history, but it's a bit late for that. The traffic is flowing from our remote host properly, but there are no rules anywhere for the port forward.

Nothing shows for pfctl -sn | grep 9996, pfctl -sr | grep 9996, or grep 9996 /cf/conf/config.xml, but here's the tcpdumps(w.x.y.z being remote ip and a.b.c.d being our WAN ip):

[2.2.2-RELEASE][admin@pfSense.localdomain]/root: tcpdump -i bge0_vlan3 dst port 9996 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on bge0_vlan3, link-type EN10MB (Ethernet), capture size 65535 bytes 14:06:58.109928 IP w.x.y.z.37625 > a.b.c.d.9996: UDP, length 1464 14:06:58.110272 IP w.x.y.z.37625 > a.b.c.d.9996: UDP, length 1464 14:06:58.110768 IP w.x.y.z.37625 > a.b.c.d.9996: UDP, length 1464 14:06:58.110951 IP w.x.y.z.37625 > a.b.c.d.9996: UDP, length 1464 14:06:58.111289 IP w.x.y.z.37625 > a.b.c.d.9996: UDP, length 1464 14:06:58.111784 IP w.x.y.z.37625 > a.b.c.d.9996: UDP, length 1464 14:06:58.112125 IP w.x.y.z.37625 > a.b.c.d.9996: UDP, length 1464 14:06:58.112284 IP w.x.y.z.37625 > a.b.c.d.9996: UDP, length 1464 14:06:58.571766 IP w.x.y.z.37625 > a.b.c.d.9996: UDP, length 1464 14:06:58.572108 IP w.x.y.z.37625 > a.b.c.d.9996: UDP, length 1464 [2.2.2-RELEASE][admin@pfSense.localdomain]/root: tcpdump -i bge0_vlan4 dst port 9996 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on bge0_vlan4, link-type EN10MB (Ethernet), capture size 65535 bytes 14:07:03.110049 IP w.x.y.z.37625 > 10.0.0.10.9996: UDP, length 1464 14:07:03.110200 IP w.x.y.z.37625 > 10.0.0.10.9996: UDP, length 1464 14:07:03.110541 IP w.x.y.z.37625 > 10.0.0.10.9996: UDP, length 1464 14:07:03.110723 IP w.x.y.z.37625 > 10.0.0.10.9996: UDP, length 1464 14:07:03.111061 IP w.x.y.z.37625 > 10.0.0.10.9996: UDP, length 1464 14:07:03.111402 IP w.x.y.z.37625 > 10.0.0.10.9996: UDP, length 1464 14:07:03.111559 IP w.x.y.z.37625 > 10.0.0.10.9996: UDP, length 1464 14:07:03.111898 IP w.x.y.z.37625 > 10.0.0.10.9996: UDP, length 1464 14:07:03.112237 IP w.x.y.z.37625 > 10.0.0.10.9996: UDP, length 1464

Here are the states for the port:

bge0_vlan3 udp 10.0.0.10:9996 (a.b.c.d:9996) <- w.x.y.z:37625      NO_TRAFFIC:SINGLE bge0_vlan4 udp w.x.y.z:37625 -> 10.0.0.10:9996      SINGLE:NO_TRAFFIC

It's "working" now, but if the connection drops I don't think it will start back up again.

EDIT: Yeah, resetting states killed it. I re-added the rule with destination set to WAN address instead of any and it's working now. That's probably all it was.

thanks for the reply, johnpoz.
i agree, that is how I think it should work. i.e the cisco would not know about the double NAT'ing.

oddly, i can get traffic FROM the internet to the network behind the pfsense and return data (i.e. NAT and PAT inwards to the pfsense)
but not initiate connections from within.

anyway, we have changed the LAN and WAN interfaces on the pfsense, made some other changes and routing traffic through two different internet connections.
to be honest, i am surprised the new network topology works but it does.

on cisco forum, as well, but probably cannot action their suggestions as the unit is in production and i am not keen on changing the system drastically.

thanks again for the reply.

Thank you so much for the advice on the vIPs. The system seems to be working perfectly now.

@beetlejelly:

I tried using the "DNS Forwarder Override" using the documentation but it didn't work. Any help would be greatly appreciated.

This is probably the best solution. Did you clear your DNS cache before deciding it didn't work?

If you need to bounce the public IP back, this is NAT refection. Look under advanced, firewall nat. I would recommend only checking the box 'Enable automatic outbound NAT for Reflection' and enabling Reflection selectively on the NAT rule.