So in the destination IP (where I would normally enter the LAN IP address), I should enter the remote SSH server's IP? I assume that if I need to connect to multiple SSH servers, I would just create an alias with the lists of IPs?

You need to configure the NAT proxy. You'll find it in the "Advanced" section.

System >> Advanced >> Networking

The last section ( bottom section ) has a drop down menu with the settings you need.

If you do not was to proxy all traffic you can set it as per the rule. The settings are at the bottom of your NAT rule.

Ok.  Thanks.

I foolishly did not include the APs IP in the "allowed IPs" which bypass the captive portal.  I did allow a whole range of IPs to bypass, which included the APs, but altered the range recently, excluding the AP in error.

For the proxy, I have now excluded private address spaces from being cached.

Now working, and now disabled, now I know it works  :P

It's always so obvious!

Thanks for the help!

You need to enable NAT Reflection to access external port-forwarded resources from LAN like that.

It was impossible for me to get this working .

I ended up just going with SSTP , I was trying to avoid buying a certificate .

I port forwarded all the correct ports and IP protocols and it just didn't work.

The only firewall I have used the does this correctly is Astaro…but is sucks compared to pfSense.

Hi, did you manage to resolve this issue?

I have the same problem but mine says "Internet connection is not available". I have Upnp enabled and even manually set the ports. The DDNS doesn't update my ip adress to the domain name…

edit

It seems that it was a different issue, hyper-v was enabled and therefore the dns settings where not correct. Now it is running!

Thank you for your message. I will test that when I have enough time and give feedback.

Thanks for answers, but a solution was very simple :) I use addresses (as you can see) from RFC1918 and the pfSense default blocked this IP-s on a WAN interfaces. I disabled this block feature in menu Interfaces\WAN, then my forward rule is work perfectly.

P3R: the source port of course: any

Best regards
Cofee

Thanks for the reply kejianshi.  I have not done any thing related to rules or NAT definitions for ISAKMP or port 500. I was just reporting early on that I saw that traffic in the traces.  I found out that my problem was not on the firewall but on the server I was trying to RDP to.  It has an Internet-facing interface and internal interface. The DG was defined on the Internet-facing interface.  When I removed that and configured the DG on the internal interface all was well.

Update:  Just reversed this whole configuration and tried using a CARP-IP on my primary WANs scope and still no luck, same results.

@johnpoz:

so you only have 1 device on this opt interface - can it ping pfsense IP on that interface?

When you switch from auto to manual – all the automatic nats should be listed.  But yours looked to be all manually configured.  There should be stuff for the local to wan, and there should be statics for the 500, etc.  So lets verify you didn't typo a mask or something or have something overlap?

Auto really should just be left on unless you have some really oddball stuff to do, etc.

So what does this device do when you do a trace.  What do you see on a sniff of the interface, etc.  Does the device mask match? etc..

Okay I got it fixed.

I deleted all of the NAT rules that I had, and then re-enabled aon and I saw all of the rules you mentioned. I tried with it set on aon and I tried automatic still didn't work. Reboots in between each setting change, nothing.

I found a backup from before I followed this guide. http://www.retropixels.org/blog/use-pfsense-to-selectively-route-through-a-vpn and now everything works when set to automatic. I believe that the order in which I added rules manually was why the automatic rules weren't displayed. Thanks for you help. Not sure if this is a bug or not? It was like the rules didn't really reset or something when switching back to automatic.

Could this post have anything to do with it? https://forum.pfsense.org/index.php?topic=80872.0

As soon as I have more than one active gateway pfsense seems to ignore the default and send traffic via the VPN. I'm wondering if this is why it is getting lost…

OK, Additional information after looking into logs from old behavior (previous firewall) and new behavior(PFsense). It appears what is happening is that we are seeing timeouts (port closings) for approx 3 minutes in between account checks for our email. Email config is Outside = Google. Internal = Linux server. So fetchmail starts up, accesses Gmail for account 1, username/pword passes, email is pulled, And then we see time out for ~3 minutes. I think this is when the system closes the initial connection for Account 1 and prepares to move to account 2. When it requests the port open for account 2 I believe there is some sort of default behavior that pfsense is doing that closes the port for X amount of minutes before allowing another connection to be made. Which in the end equals 70ish accounts averaging 1-2 min per account to pull email + 3~ min time out between each account + 16.6 minutes (1000 seconds) for the default time to run fetchmail at the end of all accounts being pulled = a whole long time to pull email.

If someone can shed some light I would appreciate this. I have found looking around under System>advanced>firewall a couple time out options. But I didn't know if they are related to having a time out on the ports, also there is a NAT reflection mode timeout. I don't believe that is related to what i need or not.

After a meeting this afternoon we are in the process of purchasing the  VK-T40E firewall/Router on the hardware page, but i will need these configurations setup for that one as well.

I've helped myself.
Obviously I had to restore outbound NAT rules. I don't know if I deleted NAT rules while playing or the NAT rules couldn't be built if the LAN interface is disabled.

Resolution:
I reinstalled pfSense with 2 interfaces. I've setup everything including OpenVPN.
Then I switched outbound NAT rules from "Automatic outbound NAT rule generation" to "Manual Outbound NAT rule generation" and then changed Source addresses from LAN subnet to the subnet where the WAN interface resides. Also NAT Address has to have value "WAN address". The final step was to disable LAN interface. Now if I create OpenVPN tunnel I am able to access servers which are in the same LAN as the WAN interface.


So I've read that pfctl doesn't support adding or deleting a rule like iptables does. Is that still the case? Is there a way I can dump the rules, modify them, and then reload them?

You should switch the router in bridge mode if this is possible and configure your public IP on pfSenses WAN interface.
In your setup you do double-NAT and the are issues if you want to reach a host behind from the internet.

You may also switch your pfSense in bridge mode, but when do so you cannot use services on pfSense like captive portal or VPN server.

Why don't you kick the router away and let pfSense do the whole work?

If you want to use DHCP and captive portal on pfSense it would be inevitable to have different subnets configured at its interfaces, so it will have to do NAT also.

This can occur if the overall table entries exceeds the configured maximum table entries. pfBlocker uses some huge tables, so it will be required to increase this value.

You can do this in System: Advanced: Firewall and NAT.