Not 2.0, maybe 2.1.

thanks for your support, it work fine only after reboot.
bye
Enrico

You also need to have a Virtual IP setup for the public IP you are using in the 1:1 NAT. Proxy ARP, IP Alias, CARP, etc.

multiple "no RDR" entries will work. Make sure the ordering is correct - first matching rule applies.

For future reference, waiting some 14 hours and then complaining that people aren't falling over themselves to help you will encourage people to ignore you. This can be safely assumed to be the case for just about any forum. Sometimes it means nobody has read your post who feels able to answer, other times it means that the documentation covers your problem and people expect you to read it.

Post screenshots of exactly how your NAT and firewall rules look. Without that, it's hard to even speculate what might be going wrong.

relayd is built in. AFAIK it's not suitable for reflection. Some rdr hacks can be used but get so complex when you have to accommodate multi-WAN, multi-LAN, CARP, etc. etc. that it's not something that is easily achievable. For one specific scenario it's easier.

Something to add

May 10 11:56:17 kernel: arpresolve: can't allocate route for <gateway for="" isp="">May 10 11:56:17 kernel: arplookup <gateway for="" isp="">failed: host is not on local network</gateway></gateway>

What do you mean that you then cannot use your firewall in such a case?
If you bridge two interfaces with pfSense still all firewall rules apply.
–> if you delete all rules allowing traffic to the server, no traffic will cross the bridge.

I don't understand your concerns - can you explain why the IP address you use matters (beyond what the instructor wants)?

Honestly, and I might have said this before now, but I don't think that in a real-world scenario that this would matter at all.  Internet routers aren't supposed to even route traffic for RFC 1918 addresses in the first place.  The only instance where it would matter AFAIK, is if a "boss" gave specific instructions that said access was to be prohibited.  But then again, those kind of circumstances would likely be rare.

The main reason that PF didn't work in my case is because of the nature of the assignment.  The actual assignment wasn't really about NAT or even firewalls at all - the class is about VPNs.  Where NAT became an issue, and where the firewall came into play, is because we had to setup a "fake" Internet using the PF boxes, with two Web servers (one a public server, the other a private intranet server).  So, the whole point really was that the access had to be very limited unless the traffic was coming in through one of the VPN tunnels.  This was why I would have failed had the instructor had direct access to the private network.  The main root of my problem was that the fake "Internet" host was directly connected to the WAN interface on the PF box hosting the Web server, so, PF kept routing the traffic, and there wasn't anything I could do with the rules to make it stop.  (Without breaking NAT.)  Like you said, NAT itself is not a security mechanism, but being unable to Firewall that traffic made it a security hole in this context.

Beyond the assignment, the only real-world scenario I could think of is if a company had multiple LAN subnets connected via a PF box, with certain subnets using NAT for whatever reason, and a requirement being that one LAN cannot directly access the other LAN.

Indeed, they'll have to work out that LAN IP to be able to reach it directly - if you've selected something random, not just 192.168.0.x then it'll take a brute force search of all 3 RFC 1918 ranges to find it.

Unless this was a company that fired their network administrator and you had a disgruntled ex-employee with intricate knowledge of the private network.  I would hope most people would not drop to this level, but in Information Security, they cover all possible aspects.  When my school competed in the Computer Cyber Defense Competition this year, we had to defend our network from an entire team (about 30 - 40 people) who were trained expert penetration testers.  Some of the things I saw at that competition are still a whirlwind in my brain.  Let's just put it this way, out of 8 teams competing at the Regional Competition, zero of them had functioning networks on Day 3 of the 3-day competition.

Getting back on topic, I don't have the super-expertise of how to break into networks … to the average random script kiddie or the like, there would likely be no issue here.  But, being a security class, I was forced to cover as many bases as possible, defense in depth and layers, so to speak.

People such as your instructor need to remember that NAT is not a security feature, and it's going away with IPv6 anyway.

Amen to that!

Anyway, I got an 'A' on the assignment, so I'm happy.  I was just mentioning the issue I had here because I couldn't find anything anywhere when I was pulling my hair out trying to figure out why I could access the private IP of the Web server with my VPN tunnels down.

You might give the "pass" associated firewall rule type on 2.0 a try, I wonder if it works the same way because it doesn't use a separate firewall rule, just "rdr pass …".

I've used PF 2.0 a couple times, and I really like where the project is headed.  2.0 made it so much easier to adjust the max number of simultaneous PPTP users right from the WebGUI.  I'll fire up the 2.0 VM sometime and try this NAT thing out on that and see how it goes.

It sounds like your second network (192.168.61.0/24) might not be getting translated via NAT when exiting the WAN port.  You can verify your default gateway is working on that subnet by pinging any of the servers on your other private network connected to pfSense.  If those pings are successful, that verifies that your second network is able to route to and through the default gateway (the pfSense box itself.)

From what I've read and experienced from using it, pfSense should automatically NAT all LAN-type interfaces to the WAN port IP address.  You mentioned having two WAN ports, but that you're not using the one.  Is it disabled?  If not, try disabling it and see if you can get out to the Net from your private network then.  It's possible that pfSense might just be getting confused.

It's also possible that for some reason pfSense is just not NATing the traffic from your second LAN interface.  You can use the Advanced outbound NAT to force that network to be translated via the WAN IP.

I've attached an image to this post, if you setup AoN using those settings, it should (in theory) work.

To shed some light on the situation, the main reason you'd use AoN is if you've got a LOT of internal users, more than can be used by a single WAN IP, you can use AoN to spread the translations among several public IP addresses.  You can also use the AoN if you just want to setup all your NAT rules by hand, rather than let pfSense do it for you.

On a last note, if you do try the settings below and they get your 2nd LAN onto the Net, but you find that the 1st LAN no longer can, it's probably because you'll need to add another rule just like the one in the image but replacing the 2nd LAN subnet address with the 1st LAN subnet address.  (I'm not sure if turning on AoN for one subnet automatically disables Automatic NAT for ALL interfaces, or only for the one specified.)

In any case, just take screenshots of the screen before you make changes, then you can see what it was like beforehand if you need to revert it back to its original state.

AoN-Basic-Settings.jpg
AoN-Basic-Settings.jpg_thumb

I'm not exactly sure why you are trying to NAT the Windows File Sharing stuff … but you might not be forwarding all the correct ports.  This snippet below came from a larger article on the Microsoft Support page, http://support.microsoft.com/kb/298804:

Important If you set up a firewall to help protect computer ports that are connected to the Internet, we do not recommend that you open these ports because they can be exposed to other computers on the Internet. Additionally, specific computers cannot be granted access to the open ports.

The following ports are associated with file sharing and server message block (SMB) communications:

* Microsoft file sharing SMB: User Datagram Protocol (UDP) ports from 135 through 139 and Transmission Control Protocol (TCP) ports from 135 through 139.
    * Direct-hosted SMB traffic without a network basic input/output system (NetBIOS): port 445 (TCP and UPD).

I'm not sure exactly what you're trying to do, but you could always use Web-based directory browsing instead of File Sharing.  By setting up a Web-based solution, you'd only need to deal with one port, and you could still use password protection to prevent unauthorized users from gaining access to certain shares.  Of course, this idea would only really work if you didn't need to allow the users to add files to the shared folders.  Alternatively, FTP might be an option for you as well, but getting FTP to work through NAT can sometimes be a pain.

Alternatively, assuming you are NATing all the ports shown above, you might not have enough RAM or processing power on your pfSense box to handle that many NAT translations and connections.

Your DNS records are wrong - please correct and try again ;)

direct.wesleyk.me resolves to 69.254.22.198 and wesleyk.me resolves to 199.27.134.81

Thank you very much!

I see now better my error…

You dont need a reverse proxy.
Simply add virtual IPs (firewall ->VIPs) and then create 1:1 NAT mappings between the VIP(s) and your server(s).
Also firewall rules to allow traffic.

Destination should be "WAN address" only, never anything else unless you have multiple public IPs. I updated this page with more info on how that works in 2.0.
http://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense%3F

Pfsense version I am using:
pfSense-1.2.3-RELEASE-LiveCD-Installer.iso

For what it's worth, I was also having runaway process totals with 2.0-RC1.  Disabling reflection on DNS rules fixed it for me.