@beetlejelly:

I tried using the "DNS Forwarder Override" using the documentation but it didn't work. Any help would be greatly appreciated.

This is probably the best solution. Did you clear your DNS cache before deciding it didn't work?

If you need to bounce the public IP back, this is NAT refection. Look under advanced, firewall nat. I would recommend only checking the box 'Enable automatic outbound NAT for Reflection' and enabling Reflection selectively on the NAT rule.

@Phatsta:

Actually I tried that. What happens is the rule changes interface, that's all. Maybe I did somthing wrong, but I don't think so. I'll check it again to make sure.

Post the NAT and firewall rules. I do this all the time. Not with 3G specifically, but with different providers.

Destination is usually WAN Address.  Do you have the proper firewall rule to go along with the port forward?

https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense

https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

For SVN server, will I still use TCP/UDP for the protocol?

Yes.  The function of the server has no relation to the communications protocol.  It's like asking if I can still drive on the road if my car is a Blue Toyota.  The road is the road and can handle all cars, regardless of maker or colour.

@Baldur:

@Derelict:

Web server?

I think you're looking at your local network when the problem lies elsewhere.

I'm more specifically looking at the PFsense box as a whole. What could the router do to prevent email from getting in. If it's not the problem, then it's not my problem.

Hey ,
I guess your friend has configured Offline client(outlook , windows live etc) on LAN PC .
In order to diagnose first you have to SSH into Pfsense and from Terminal do to a Telnet to MX of mailserver on Port 995 or 110 (this is configured on offline client)  , are you able to do it?

If I understand your query correctly, what you're looking to do is create an Alias, which you can populate with IP addresses of your choice. You can then assign the alias as the source for the NAT rule and use it in the corresponding firewall rule. Sor for 'WAN IP group', think 'Alias'.

Was using IP alias.. I did read somewhere Proxy ARP IP type should be used when the IP's are in the same subnet, don't know if this is accurate or not.

But anyway, problem was, traffic shaper was causing any changes to firewall/nat to not take effect until system reboot. Removed the shaper, and all is good now. Thanks!

Just a follow up :

We made the switch 9 days ago and it's been a painless process. Everything was well planned, if I may say ;)

Cerberus (the new firewall) was carefully tested by a few selected people before that. The only remaining issue was NAT related, because the servers were not using the new gateway.

We chose a saturday to put the new firewall in production.

We basically :

deactivated the LAN DHCP server on the "old" firewall activated the LAN DHCP server on Cerberus. Turned off the "old" firewall. Shut down and restarted all the servers / VM / network printers / wifi AP so they could use the new gateway.

We had to tinker with the vHost/domain server/Terminal server DNS configuration, but it was solved in under an hour. Mainly because I never touch those servers (this is outsourced to a private company), so I had to google my way around to find where to make according changes.

I'm now in the process of configuring CARP / pfsync / XML-RPC between the 2 pfsense appliances.

Thanks to everyone for their help !

fabrice

And what version of vmware are you hosting these on?  I have not had any issues with port forwards after upgrading to 2.2.2 from 2.1.5 to 2.2 to 2.2.1, etc..

What tools vmware tools are you running?  2.2 is broken with native tools for example.

I have to assume your 5.5u2 at min, and what tools?  Your sure its the default rule?  what forwards are not working?  Why don't you enable listing the exact rule in the log, etc.

I have seen this happen once before.  It occurred when I was messing with the shaper, got it into a state in which it wouldn't load (like the percentages added up to more than 100%) then got distracted and went on to something else.

Then I wanted to add a port forward and it wouldn't take.  Finally checked my rules with pfctl like you did and saw the warnings familiar to everyone who has configured hfsc.

Fixed that and it was all working again.

It's unfortunate that the only time you see the queue loading errors is when your configuring queues.

The rules reloading later don't generate any feedback and pretty much silently fail.

I don't believe my circumstance as something that will just fail later out-of-the-blue.  It was 100% caused by me and 100% correctable.

Well, I simply do not think your configuration state is anywhere near sane. Things like the above are really impossible to configure via the GUI. God knows what else got screwed. Would flush this down the drain and restart from scratch.

Cool.  That must be new in 2.2.  I use manual just about everywhere so I don't see it.

Your port-forwards look ok.  The Ventrilo site mentions that they require ports 3784 TCP/UDP as well as 6100 UDP.  They don't mention 11610 at all unless it's been changed from default.

pfSense can assume other IP addresses, but it can't assume domains.  You still haven't rally explained what you're trying to do, but I assume you are wanting to internally route one or more services based on the requested domain.  We all understand the concept of virtual domains, and all modern web servers support them.  pfSense and other routing firewalls support virtual IP addresses but they are not concerned with domains.  pfSense by itself has no idea about domains.  You can install extra packages like HAProxy to do reverse proxying or load balancing, if that is what you want.

make sure the port is listening because i had that problem once it was listening it worked. Another thing windows firewall might block it too try to disable windows firewall and try it. If you also have comodo firewall also disable it.

Security is another issue entirely.

OP wanted to know how to translate connections to a mail server on 25 to 587.

The port forward does that.

@johnpoz:

Its not using itself as a reference - I have a ntp server running on 192.168.1.40.. If I query it its using stratum 1 servers..  All my boxes and devices use it as ref, that first one is my pc I am on, then I changed over and looked at the server, then last one is pfsense showing what its talking too.

As you can see pfsense uses 192.168.1.40 as its ref, not itself. Pfsense is a vm - using it as a time source would be pretty inaccurate.

Got it.  Thanks.

@johnpoz:

As to w32tm yes it is a ok tool for that sort of thing..  As to what you were using to sync - that analog X or whatever, why??  Why not just run ntp?  Runs on pretty much anything, as you can see its running on windows..  While w32tm is not a bad cmd line tool for troubleshooting, the time sync in windows is a bit lacking.  I always just turn it off and install ntp directly.  You can get latest builds from here http://www.satsignal.eu/ntp/setup.html

I was just using AnalogX for testing.  I wanted a free, simple NTP client that I knew how to use.

I wasn't using w32tm at the command line because I didn't know how to.  I tried playing with settings in the time/date menu, but I found that it wasn't particularly reliable.  Outside of testing, I've found that the Windows utility both fails often, and isn't easily configurable to sync more than one per week (playing with the registry doesn't seem to fix it permanently- I just had it reset back to once per week by itself.)  On two machines in particular I have several reasons for wanting to keep the clocks within a couple seconds of the real time, I've generally found I (usually) lose more than that over a week.  So, thanks for the link to the ntp utility.  I'll give it a try.

well.. that is not good news…  :-\

thanks for reply...