dc server just allowes everyone to connect all the work on the share loke shareing etc gets done by client softwer server is just to get everyone talking to one another but ill try it on another pc and os

all are on defualt havnt setup any rules as of yes  ill disable it and test it to see what happens

Dears,
it is my fault, dont  apply my public ip alias.

You have to enable NAT reflection for you to get to internal IPs using the External IP from behind the firewall.

Which service are you using to setup the GRE tunnel?

Could you post a screen shot of your manual outbound rules?

The outbound nat is the last rule applied to the package.

First you define rules and if you need to Route the packet to a different route, you define it in advanced rules options. When packet is leaving pfsense by interface x ou y, then outbound nat is applied if defined.

@sriraminfotec:

thanks for the response.
Now is there no other way of getting authentication ? The DVR does not have much security and the password can also be easily changed.
When you mention outbound traffic, does not CP treat the traffic moving out of the DVR as outbound ?

Well for authentication or restricted access you have a few options

Get a new DVR that supports better Access Control List (ACL). Use VPN in conjunction with pfsense. Restrict inbound traffic to the DVR to a few known fixed/statics IP addresses.

It may not be ideal but a workable solution.

The DVR will not initiate outbound traffic on its own unless it is going out to get software update checks or some function like alert notification, etc.  All firewall/proxy knows or keep tracks of who starts the traffic (this is why they maintain state).  In your example, the outbound traffic from the DVR was initiated by someone from the inbound (outside the WAN link), so the initiator is from the inbound side.  To help you understand more of the inbound/outbound traffic, think of it as who started the request for the traffic, is the request started by someone/devices from the WAN (that would mean inbound) or someone/devices from the LAN (outbound).

Hope this helps.

Hi
Thanks for your replies. I could get it up and running.  Of course, I did a factory reset also. I just added an alias for the ports needed by the dvr. When to NAT port settings and did the rest as per Metu69 advise. Only I used the alias for the ports. The Source was any.
It started working like a charm.
Now I wanted to have captive portal so that any one accessing the DVR from the remote using the dynamic dns address should be presented with a login screen for access to the dvr. But I think this is not possible. Somewhere else I read that this is called reverse captive portal. I am not sure so I request others not to take this as the last word on CP.
Please suggest how security can be achieved if not using CP.
Thanks

Finally working. Thanks all for the help and guidance.

In the postfix forwarder tab for Domains to Forward, I had listed the exchange server and its internal IP, which was exch.domain.com. The not relaying error finally clicked with me that the mail was coming in as mail.domain.com. So I added that with the same internal IP to the Domains to Forward and things began to work. For good measure I added the root domain also.

I am still having odd issues which I'll take to an exchange forum.

I'm jazzed about pfSense, and hope to use it more. Great work!

@jimp:

With pass, the traffic will pass that matches the NAT rule exactly. Some people prefer to have more fine-grained control over who/what is allowed to reach systems to which ports are forwarded.

If it's a web server that the world can access, then pass may be OK. If it's a private system locked down to only a few remote IPs, then someone might want to add the nat and firewall rules separately and come up with a more complex set of rules to control access.

Thanks.  That really clear up my understanding on how the two features works.

Thanks!

Is there a reason you want to NAT between the DMZ and LAN, rather than just straight routing? There's no reason the LAN hosts and DMZ hosts shouldn't be able to find each other via default route (pfsense). You only need outbound NAT for LAN via WAN.

IMO, I would use CARP. The reason why is that you can setup clustering later if you use that type of VIP. If you plan to never cluster, then ProxyARP or IP alias works really well also. If clustering is a possibility, it takes 3 public IPs to do that, so start using IPs at the end and work backwards asigning them.

Proxy is for http protocol. Squid can proxy http,FTP,https but cannot proxy ssh for example.

Redirect all ports to squid will not work.

You have to find a proxy for each protocol you want to use and https can't be transparent for many reasons.

You don't need anything that CPU or space/memory intensive to accomplish what you are trying to do. IMO NAT reflection or Split DNS should suffice.

All three networks are on the LAN? If so, then it is just a routing issue. Did you want those different subnets to have internet access? if so, then you are going to have to use Advanced outbound NAT and create a rule for each LAN subnet.

Thank You to all that have made constructive suggestions.
I still cannot get RDP to work remotely to Windows 7 pro workstations.
This is the procedure I do on the pfSense-1.2.3-RELEASE  box,,from a Windows XP Pro machine setup that works fine.

1. In the NAT configuration page a simply change the internal ip address to one of the Windows 7 pro workstation ip addresses, Save and Apply. ( the carp / public ip address i leave the same)
2. I then go to the firewall setting,>WAN tab( the rule that is auto-generated by the RDP NAT rule), and change the internal ip address to reflect the Windows 7 pro machine,Save and Apply.

When trying RDP from a remote machine the Windows 7 pro machine session, blinks just for a second and disappears. I have tried this on three different freshly imaged Windows 7 Pro machines, FYI.

I do have  the "Allow remote desktop from any version of RDP client machine" is in fact selected.
I have the Windows Firewall on the Windows 7 Pro machine disabled on all three possibilities here. The Windows Firewall is totally disabled in other words.

Also,I can in fact remote desktop to the Windows 7 Pro machine fine within or lan,so it does appear something is not getting two way communcation between our lan and the Nat'ted ip address.

As soon as I change the internal ip address to one of our Windows XP Pro machines the very same Nat'ted connection will work fine remotely.

Thanks,
Barry