Sorry , so slow to reply , I was busy in database setting.
Thanks a lot, I found the problem is I should add a DNS mapping too in NAT Outbound just like your reply "on: April 11, 2014, 10:20:53 am »".
The  http://mxtoolbox.com/  is very useful, Now I check a domain with DNS&MX  A record is functional, appreciate your help.

@doktornotor:

Way damn too long. Post screenshots instead.

lulz

A single screenshot of the port forward would indeed be worth more than a wall of text in this case.

First thing, disable or remove any packaged or traffic shaping. They are not necessary for the function of the firewall. You will want to get it working before putting on advanced tools.
You would only need OPT if you are going to run a DMZ. Otherwise, assign IP Alaises to the LocalHost interface for the extra IPs.
Then there will be NAT to work on.

Changed it back to automatic mode and assigned different gateways in the allow all rules for both LAN 1 and LAN 2.

That fixed it.

Thanks for the support.

Good. ;)

OK. Thanks i will check the approach. Thank you.

Have you set the GW for the LAN - remove it. Have you set a gateway for the WAN - you must have this. Then you need to apply your rules to allow web traffic from LAN to WAN.

I think your in your first screenshot, the second port forward rule is wrong - the destination address should be "WAN address", not your external ip. Change your highlighted virtual IP.

FWrule80.png
FWrule80.png_thumb

@mmhan:

Great point!

It still would have be ideal to have them serve the site without using non-standard ports though.

Well, you could always point the two DNS names to the same IP address and hope that the browser sends the URL as part of the HTTP requests (all modern browsers do this, I believe). Then the web server can figure out what web site to serve up. I know IIS can do this. I assume others can do this as well.

Uhm… System - Advanced - Networking - IPv6 over IPv4 Tunneling

Enter the IP there. Done.

Well, it turns out the information originally provided to me was incorrect, and helps to answer why doktornotor questioned the validity of needing NAT! :)

Turns out my local IP will be 172.20.50.243.
There are 2 machines I am accessing on the other end, and they are 10.42.10.254 and 10.42.10.255.  I need to NAT from 192.168.1.0/24 to 172.20.50.243, as the other end rejects the connection otherwise.

Does any of this make sense?

Thanks,
Daryl

It would be easiest to keep this simple. Use automatic outbound NAT, so LAN, OPT1, OPT2… will get NAT applied on the way out of pfSense WAN. Doing it that way, the front-end modem, Netgear VPN router, whatever, do not need to have routes back to LAN, OPT1... subnets. Everything from your guest LANs behind pfSense will seem to come from the pfSense WAN IP.
I expect you do not want the guests to be able to access any of the company workstations or other guest LANs. So you want to block traffic to any of that. Since those are all in 192.168.0.0/16, make an alias "LocalIntranet" for 192.168.0.0./16, then:

LAN:
Pass protocol TCP/UDP source LANnet destination LANaddress port DNS (53) - that lets them do DNS requests.
Block protocol all source LANnet destination LocalIntranet - stop any traffic directed to other places in the local intranet.
Pass protocol all source LANnet destination any - let everything else through - general internet access

Then OPT1 becomes the similar thing:
Pass protocol TCP/UDP source OPT1net destination OPT1address port DNS (53)
Block protocol all source OPT1net destination LocalIntranet
Pass protocol all source OPT1net destination any

And you don't need any rules on WAN, unless you want to manage pfSense from the WAN side, then you could Pass source "some WAN IPs" destination WANaddress port (22, 80, 443, whatever)

@johnpoz:

I would wipe your rules and start over..  Its not like you have very many.  If your 1194 is any indication you prob don't need most of the rules on there ;)

Well at this point I could also reinstall Pfsense 2.1.1 on new hardware since one disk failed  ;)

@johnpoz:

Well it points to not having a clue to how to setup rules ;)  Or maintaining them - and your error is some rule can not load is it not?

You're right. No clue about that.

@johnpoz:

Do you happen to be behind a NAT on pfsense wan?

No. Pfsense if my NAT/Firewall/Router.

So, at this point my problem has completely disappeared, for unknown reasons.

All my udp ports are coming in, and everything is working great. I did enable "sloppy" for the state for rule regarding some vpn traffic, but the sip traffic isn't running over the ipsec tunnel, so not sure why that would matter here.

I did also reinstall once, but I did restore the previously saved config and immediately following the reinstall, was still seeing the problem.

Now, everything is working perfectly. fw, vpn, port forward, and have ntop running. I can finally decommission my old linux fw server.

Thanks to all for a very nice product.

I don't know why it works that way – but it does. It would imply there is some sort or routing problem that the "scrubbing" is fixing behind the scenes.

I normally don't like that kinda stuff -- I want stuff to work right. But as of today, I have both of my problems fixed (my vpn issue and my asterisk issue) and my pfsense installation is working perfectly.

I did try a reinstall once -- but reloaded the saved configuration.

One thing I did do that seems to have made my vpn solution work better, is enable "sloppy" for the state settings for the vpn rule. I had a problem with the asymmetric routing that was solved by changing that state mode for the vpn rule.

As long as I don't need to disable the packet scrubbing, I'm good.

Thanks!
Jon