Thanks!

If you have a local PPTP client you do not need any port forwards. The forwarding for tcp/1723 and GRE would only need to be done for PPTP servers.

Is there something that did not work for the client with just the normal entries?

@althornin:

@submicron:

2.0 is released, stop mucking about with 1.2.3.

Well, I plan on upgrading, but thought that maybe in the interim someone could offer a solution until my next maintenance window.

I just labbed this out with a spare ALIX and my current config (install 1.2.3, restored my current config to it, upgraded to 2.0) and the issue does appear to be resolved in 2.0.

Fair enough, I now know what I'll be doing in my next maintenance window.

Define "not working". You need a virtual IP and didn't mention adding that, that's my first guess.

Turns out the ISP was wrong..

They said I had 8 IP's but I actually only have 1.

I fixed my problem. Here it's my solution.

On 1.2.3 I had the LAN card with two IPs (you needed to modify manually the config file for it). One used for routing (starts with 172) to other networks and the near lan ip address (starts with 192). I have also a lot of static routes created using a gateway on the 172 network.

The problem seems to be a bad startup of the pfSense 2.0, because the IP Alias are set after the static routes creation. And it should be any problem with it because they do not appear on the netstat -r. And when I enter to the webconfigurator some services were down (¿due to a blocked startup script or one script exiting before ending due to an error?).

I set the 172 ip address to the LAN and set the 192 ip address as alias doing a backup, edit, restore process. On the next reboot all the routes (netstat -r) were show, all the processes are UP after the reboot and the NAT works ok.

thanks…
that was so simple... on iptables i had to do some acrobatic things with NETMAP and so on...

thank you again for the help

now i face a very serious problem.
i have 600 internet user's, thats why i installed to pfsense server which is core 2 duo with 4 GB RAM,

one server is working fine perfect.
second server is having problem within few days.
problem is all user's have a message in there browser "THE CONNECTION WAS RESET"
then when i disable option "Allow users on interface" its working fine then when i enable this option again user's have same problem another server is working fine why this happen i could not understand a already format and reinstall this server but still m there.

kindly do any body favor its too urgent for me…

Thanks
Mohan Rao

mohanrao83@gmail.com

When you cannot or do not want to change the default gateway, you can use outbound NAT to your server so that it sees everything as coming from your pfSense box, and thus will know to where to send replies.

The default NAT rule is * *, all you are doing is telling it to use static port with certain traffic. I do this without any firewall rule for SIP registration, or forward port 5060 when they call direct (i.e. sip:extension@host:5060) in that case you would want to get the IP(s) of your provider and only allow theirs.

It is now working as it should.  Factory reset.. probably a bad beta package.. no more aggravation.

After you setup the 1:1, your firewall rules with be source is any/any and destination will be to internalalias/internalport.

Reflection does not apply to uPNP.

It works on any port so long as it's not a port range larger than 500 ports. So if you forwarded 15000-15400 that would work, but if you forward 15000-16000 that wouldn't reflect.

I finally figured this out.  Turns out it had nothing to do with pfSense; the duplicate ping responses were caused by a D-Link DGS-3612G L3 switch with buggy old firmware.  Updating the firmware fixed the problem.

@bdwyer:

@MTHead:

So it sounds like what Cisco calls "PAT" is what I've always called "port forwarding" (and, in fact, in the pfSense GUI it's the "Port Forward" tab on the "NAT" page.)

No, that is static PAT.  When he is talking about internet traffic and PAT, he is referring to dynamic PAT, where the translations are done automatically for your users so that the web host can communicate directly to the correct computer behind the source gateway.  A static PAT mapping would be mapping a certain port to always go to a certain internal host, akin to what your talking about for port forwarding.

If you want to reference to pfSense, the closest thing to explain what dynamic PAT is would be the Firewall : NAT : Outbound page.

Thank you for that!

Just found this over in the Routing / Multi Wan This might be of some help but seems like I have done this before.

http://forum.pfsense.org/index.php/topic,43107.0.html

For the record, let me explain why this happened (now that I think I understood it!)

In this case, by selecting a gateway on the LINK interface, it became a "WAN type" connection. As the hint says on the Outbound NAT page, "rules are not added automatically for WAN type connections". In this particular case, the LINK interface is actually both a WAN (when failover gets activated) and LAN (always). So a manual Outbound NAT rule is needed in order to allow translation between the WAN and the LINK subnet (for monitoring to work). I also had to delete the LAN to LINK outbound NAT rules as my config involves just routing over there.

Cheers!

Glad to hear it! Feel free to contribute to the Documentation yourself now that you've figured a few things out :)