That isn't possible with IPsec, unless on the Phase 2, the site A side is defined as 0.0.0.0/0 to send all traffic back over IPsec (at least from a source of 10.10.20.55)

It's possible with OpenVPN and has been described several times around the forum and mailing list. It requires assigning the OpenVPN interface and moving some rules around but it works fine.

Hi there,

I'm a little confused by your question, is 192.168.3.x your LAN network, WAN network, something else?

What's wrong with typing 192.168.3.50:8000 in your browser?

If you can give us a better description of your network (post a simple diagram), maybe we can help.

Hi chpalmer,

point your devices to the siproxd or to the providers sip server?
can you please provide some screenshots of your firewall rules and NAT settings? That would be great!  :P

Matthias

Unless you miss typed it in here, your gateway is not in the same subnet as your network. Because of that, it won't route.
The gateway should probably be 192.168.1.1 or the LAN/OPT ip address of pfsense.

With IP Aliases you can assign each IP you got from your ISP to your WAN interface. However, this isn't necessary for your goal, since you have assigned the hole net segment (/28) to WAN if, but it's an advantage in clarity for handling the IPs in pfSense, I think. And it's recommended.

With 1:1 NAT and port forwarding you can handle incoming traffic (into pfSense), but you want to impact outbound traffic here. So you will need to configure outbound NAT for your requirements.

On the outbound tab in firewall > NAT select "Manual Outbound NAT rule generation" and click save. Then you should see a list of automatic generated rules for all your assigned subnets under mappings. Edit these rules or generate it manually if they don't exist, under source, choose the subnet you want to handle,  leave protocol, source port and destination to any and at Translation address you can select the IP Alias you have defined before, if you don't select Other Subnet and enter IP and mask below. Leave the translation port to any.

@dotdash:

Go to NAT, Outbound. (If you are not using advanced outbound NAT, change and save.)
Make a rule on the WAN with the ip of the mail server/32 as the source and the NAT and the NAT address the public IP you want it to use. Move this rule before the auto-created LAN-WAN rule.

Thanks… I forgot to mention that I was already using 1:1 and IP aliases. My problem was that the incoming IP was on one WAN and the server was assigned the other WAN as it's outgoing gateway and therefor was using an improper IP. I added an alias to the server on the other WAN and now it is using the proper reverse.

@chpalmer:

Your showing your paygrade!  ;D ;D

Thats because your reverse DNS does not match your servers "Banner" or welcome message..  We bounce people for that as well.

use mxtoolbox.com and do an smtp test on your server.

If your behind a dynamic address then you will continue to have problems.

Otherwise you can-

1.attempt to get your ISP to change your reverse dns to match your servers banner or

2.change your servers banner to match your reverse dns.

This is not a pfSense problem.

If you are determined to run your own email server Id recommend you either hire an outside firm to help you get it set up properly or take a crash coarse in email.  :)    There are many aspects of running an email server that can cause you to pull your hair out that are not readily apparent. One misconfiguration and your an open relay. Just wait when you try and come back from that!

As for this… I wont get into an argument about mail server setup and which rules and guidelines who follows. You hacked around and got to me after I put my temporary fix into place. I handle the reverse and forward DNS for my domains and IPs. I handle the email server as well. mxtoolbox is reporting no errors or warnings for my mail domain and the one provider who was rejecting mail is now processing.

Thanks all!

Speedtouch PPPoA-to-PPTP Bridge wow I have not seen or written those words in a long time. The default IP of the modem is actually 10.10.10.138 or see the manual for "ping of life"  procedure but don't use the 11.11.11.138 address! I think you can put them all in the same subnet. Once you have the correct subnet you will have to uncheck "block private networks" under the modem's interface.

4. use the siproxd package.

Yes, NAT+IPsec works fine on 2.1 and later.

It's close to what you said: Select Type=LAN Subnet, and then in the NAT options directly under that choice, pick Network and then enter 192.168.70.0/24

Firewall rules would still refer to 192.168.1.x (rules after NAT, as always)

The rules are allways generated automatically.

If you want to adjust it select "Manual Outbound NAT rule generation" and klick Save. After that the rules are displayed.

I used with network address only. Eg. 192.168.10.0/24 to 192.168.5.0/24.

It ended up being that the webserver had a different gateways then the pfSense one.  It would forward the information and then not get back to the same place.  Thanks for the help.

Here is the thing, say 192.168.1.10 wants to go to 192.168.1.40

Why would it go to pfsense IP?  192.168.1.?

The only time pfsense is talked to is when your trying to leave your own network segment.  If your network segment is 192.168.1.0/24 – talking to any IP address on 192.168.1.1-254 would not talk to pfsense.  So your redirect doesn't work.

Now if pfsense IP address is 192.168.1.40 - then sure you could redirect traffic to some other IP..  Or if the IP address is something other than pfsense address and on a different network segment, say internet, etc.  And traffic would go to pfsense then sure you can redirect it to where you want.  You could redirect say all dns queries this way, or you could say redirect http to your webserver that says hey you can not serf the web from here, etc..

Why are you putting wan1??  Do you use wan one to get to your other segment?  Then why are you putting a gateway?  Leave the gateway blank so pfsense can use its own routing table to get there.  Look in you routing table.. Pfsense has an interface in that network - so it knows how to get there.

You are trying to create the wan rules on your own vs letting the forward create them for you?

Post your wan rules and your port forwards.

Port forwards are really click click - just let, which is the default the port forward create the wan rule for you automatically.