Thanks for your help.

Wikus

The only problem with the segmentation would be the browse list would not work.. you would only ever see boxes on your own network with a browse list.

But that browse list has NOTHING to do with sharing of files - nothing!

Glad you got it working.

Well if your not doing NAT,

How do you expect it to work in how I understand your configuration.

Does firewall 1 have a route to 10.10.10.x ?

So lets say box on the 10.10.10 gets ip 10.10.10.47 and his gateway is firewall 2 at 10.10.10.254.  This fw2 says ok I don't have any interfaces on where your trying to go public IP..  So let me send it to my gateway (fw1) at 10.10.1.254.  BTW I assume you have a /24 or something these networks to distinguish these 10.10.10 and 10.10.1 networks?

Now does fw1 lan rule allow traffic on its lan from that network?  Even if it does and says OK, lets send on that traffic to the public IP.  When the response comes back - where is fw1 suppose to send it..  Even if he has state in his nat table that hispublic relates to 10.10.10.47

He doesn't have any interfaces in that network - so why would he know to send it back to 10.10.1.26 ?

Lets say your trying to access host in 10.10.1.x at .56 – so fw2 sends on that traffic and the host at 10.10.1.56 gets it.  But he is going to say well 10.10.10.47 is not on my network - so he sends his response to his gateway fw1 -- fw1 says, I don't have any network or route for 10.10.10 - so he would just send on that traffic to his gateway (internet)

So you can either do NAT at your fw2 so any traffic behind it just looks like traffic from the 10.10.1 network - or you need to configure the routing for that network on fw1 or hosts in 10.10.1 to know how to get to 10.10.10

If you using masks so that both 10.10.1 and 10.10.10 look to be on the same network, say a /8 or /16 then you have other issues where its not going to work either.  Because traffic at fw1 from 10.10.10 is going to look like its local to fw1 interface and again it would never send responses to fw2 interface in zone 1

very true, unfortunately, other providers will set what they fill suits them best, and often costs them less resources / money.

i will say thought, i have hasd pretty good luck myself, and i am located in Costa Rica, but we have a ISP linked direct into Miami.

You must create the proper NAT rule for the 2nd IP, set static port NAT and create firewall rules to ensure the traffic is routed through the correct gateway.

Then forward inbound the port 35300 as requested by the installer. You should not have to forward the UDP port range inbound, unless either the PBX or carrier is not properly handling the NAT, but normally ensure there's no firewall rule that will block/reject the traffic. In the case you believe you need to forward the ports, ensure you have set Log packets blocked by the default rule under Status > System Log > Settings and then watch Status > System Log > Firewall while placing test calls.

i would think with that many sessions you would be looking into some high end equipment from cisco or someone….

vs open source and a self bought server..

or are you planning to use some proper "server" grade hardware

@peterpf:

am not sure if i clear understand your config - but - host only Network on Vmware means "host only" - like an internal network - no packets out.
bridge your vms Networkcards out to the wire, let the pfsense do dhcp or give the vms itselfe the adress you want.
If you bring no paket out of the vms that is nothing happen to pfsense.

This is the easiest way to do it, and almost the proper way to do it really.

VLANs ?

Firewall - NAT - outbound NAT

manual mode

you assign the internal LAN ip to go out over the Virtual IP's / WAN IP;s you have assigned in the system.

Reverse Proxy.

the reverse proxy hands all incoming connections and based on HTTP headers would direct to the LAN server you set it yo.

basically what both packages do is create a "reverse" proxy to which you then can use "headers" to determine what traffic goes to what web site. (i beleive)

If you have the "same" site on all 3 servers, then you need to set up your web servers with 1 single "virtual IP" which then tries each web server and responds on the firsts one.

This all depends, are you web servers on linux or windows IIS ?

Well for starters your behind a NAT on your wan, so you can forward all day long on pfsense its never going to see that traffic unless you forward to the Pfsense wan IP 192.168.1.103 on the device that is giving pfsense that IP.

And then the next thing I see wrong with that setup is your WAN IP is actually inside your LAN ip scope.. You put a /16 on your lan, which makes your want a subnet of your lan address space - not something you would want to do.

The main reason I don't want to change my IP range at home is because I am a geek.  I have about a dozen or two devices (depending on what you count.)  About half of them are dhcp, while the other half are servers.  I have two windows AD domains, a virtualization infrastructure, redundant dns servers and dhcp servers, I serve an openvpn mobile vpn server for when I'm on the road and want to VPN into my house.  I have site-vpn's with other companies, where I would need to reconfigure both my pfsense, and also other companies' firewalls in order to accommodate the IP change, etc blah, etc blah.

I estimate renumbering my home to be around 1 day of work.  I am, in and of myself, a small company.

In any event, I think this thread is done.  The conclusions are:

At present in 2.0.5, pfsense can't do NAT before IPSec vpn, but it can for ovpn, and it might be able to do NAT before ipsec when 2.1 gets released

If I need to do the NAT before VPN at present, I can daisy chain two pfsense firewalls.  Let one handle the VPN, let the other handle NAT

I was actually able to workaround, by adding a NIC to pfsense.  Assign an IP on a subnet that doesn't overlap my internal LAN, and put both subnets onto the same wire.  (would have been even better, if I had a separate LAN or vlan).  So I don't VPN directly from the LAN to the remote side - Any internal machines at my end that need the VPN shall have a second IP address in the second subnet, and a static route to reach the VPN via this second subnet.  I'm currently using this solution, it works.

Thanks everyone for your help and suggestions and ideas.

you mention lan client, just so we are clear - your trying to run your PPTP server on this 2008 box that sits behind your pfsense and you want to allow clients from the internet to get to it.

Or are you saying your wanting a client behind pfsense to get to a remote PPTP server?

pfsense can act as the PPTP server, and be your endpoint - this might be a better setup then an endpoint inside your network.

A donation has been sent. [Clink of beer glasses] Cheers!

Thank you very much for you help.

Randy

There's no other option, have to have manual outbound for that.

I actually just Forrest Gumped it and got it working.

Dunno what the actual problem was, but i (yet again) removed all nats and rules and toggled the auto/manual creation on the outbound rule page.

Thanks for you time!

If I understand you correctly, they want to use live IPs on the LAN. Nothing you really do about NAT in that situation, but you can setup pfSense as a transparent firewall. This utilizes the bridging feature in pfSense.

Ok I got it working now.

Here are all the parts, (I include the firewall rules too for the full task):

NAT

Port Forward:

If          Proto          Src. addr          Src. ports          Dest. addr          Dest. ports          NAT IP          NAT Ports          Description
WAN          TCP      public_remote_client     *               WAN Address            80               remote_server       80         NAT 80 to remote server
                                                                          (or a virtual IP,                             across VPN
                                                                          in my case I DID)

Outbound NAT:

(this first rule has Do Not NAT checked)
If             Source          Src. ports          Dest. addr          Dest. ports          NAT Addr          NAT Port          Description
OpenVPN   remote               *                       *                      *                     *                      *              Do Not NAT
              network                                                                                                                             for remote subnet
              subnet                                                                                                                              across VPN
              across
              VPN

If             Source          Src. ports          Dest. addr          Dest. ports          NAT Addr          NAT Port          Description
OpenVPN     any                  *               remote_server           80                      *                    *               NAT for remote_server
                                                        across VPN                                                                               on remote subnet across VPN

Firewall

rule for public facing interface, (ie: WAN) for public_remote_client to pass to remote_server across VPN:

ID         Proto          Source             Port         Destination         Port         Gateway         Queue         Schedule         Description
               TCP    public_remote_client    *         remote_server        80               *               none                               Pass traffic to remote_server
                                                                  across VPN

And the final part for my saga…

On the remote router across the VPN (siteB), I firewall the LAN interface there.  I needed to allow the "remote_server across VPN" to be able to talk to the VPN subnet.  I used a /30 netmask for 4 hosts, 2 usable since it's just a site-to-site, IE: 10.8.8.0/30.

So a firewall rule for that would look like this:

ID         Proto          Source             Port         Destination         Port         Gateway         Queue         Schedule         Description
           TCP           remote_server     *        OpenVPN subnet       *               *               none                                Allow remote_server across VPN
                           across VPN                                                                                                                        Reply back to OpenVPN subnet.

Hope this helps someone, it sucked for a couple days.  Thanks cmb and Jimp!
The post doesn't look very good without a decent size LCD as it gets smashed on more lines and goes out of whack, fyi.

That seems the only part that was missing.  Thanks a lot!