The ICMP redirect indicates some wrong or weird routing config. The ICMP unreachable either the same, or that you're rejecting the traffic with firewall rules.

Well I discovered an interesting way of fixing this that works better than split DNS (because there are ports forwarded to different machines). I actually discovered this by accident too lol.

A DMZ is setup for the pfsense machine and port forwarding from external connections has worked fine from the beginning.

My brother didn't think so though as he couldn't connect to his stuff when he tested it, but he was doing it internally using the public IP, thus the redirect problem broke his connection even though it works fine externally.

He ended up forwarding the ports he needed on the actiontech and pointed them to pfsense's WAN IP thinking that ports weren't actually being forwarded (which they were externally, but not on redirect). This ended up redirecting internal connections using the public IP correctly. So thought hmm, and decided to put in a rule that forwarded all ports to pfsense WAN IP (as shown in the attachment).

surprise surprise I no longer have to rely on split dns for internal redirects!

redirect.jpg
redirect.jpg_thumb

Hi jimp

I managed to find the issue. Problem lay with the mIRC client with this feature called "Passive DCC".
It MUST be disabled in order for the NAT to work properly.

Thanks for the assist and hope this thread helps others.

Just update to a current snapshot and you should be OK.

TCP * * 10.10.238.164 21 (FTP) *   NAT

TCP * * X.X.9.164 21 (FTP) *   NAT

TCP * * 10.10.238.164 50000 - 51000 *   NAT

thanks psylo

If you're re-writing the source address, on your LAN server, then you could get it to work - and that may be what you're doing. Just port forwarding however won't work.

You need to use different subnets (IP ranges) on the WAN and DMZ, or you need to bridge the WAN and DMZ. I assume that you've already tried configuring UPnP?

Btw. I am using PFSense 2.0RC1

Fitopy,

what type of H323 gatekeeper/SIP registrar is the TANDBERG device registered to?

What specific type of TANDBERG system is this, and what software is it running on?

It works fine, just have to create the appropriate outbound NAT. Post a screenshot of your outbound NAT rules.

I currently have a video tutorial uploading to YouTube as we speak, i hope this can help some people

You probably need rules for whatever port needed on your server, for example 80, 443, 22, 25, etc…I think on pfsense 2 I had to put the rules within the Floating rules tab. Not sure if 1.2.3 has this. I couldn't get it running on my older test system.

Hi,

You can set DMZ from zyxel to 192..168.10.3"pfsense" and port forward to server.

:)

Im a bit confused.. Why would you want to nat between vlans?

If you want to access 10.0.20.10, why would you not just rdp to 10.0.20.10??

I'm not sure what the problem was, but I tried again a few days later and it has been ok for the past 5 days now. Fingers crossed..  ;D

I did note one problem though, even though I had deleted an old Gateway via Interfaces, it was still showing up under System > Routing. Maybe that was why…  :-\

As far as I know ther is no "default allow bogons" rule, so it must be "block".

Further it would make no sense to add an additional "block any to any" rule because there is by default a "block any" rule on every interface.

But you are right, on the picture you can NOT see if it is block or allow.

Perhaps we should add, that firewall rules will take action from TOP to DOWN and if the any to any rull is block, than the secon one (NAT rule) will never be appllied.