Ah, I was missing an outbound nat rule. I had to set up another one because the single AON rule was set to use the CARP interface.  I just added the 1:1 NAT and another CARP Virtual IP for the redundancy cluster. It's working great.  So I have both CARP setup for active/passive and CARP for a 1:1 NAT rule.

Thanks for the tip. Seemed to be something with the inbound NAT rule that messed it up… Had source port range defined and for some reason that messed up the outbound NAT
Anywho problem solved now, thanks :)

Sounds like you would really like netflow (check the doc wiki).

There will be quite a few differences in the 2.0 but the underlying fundamentals are the same.

In the case of NAT reflection, it's still preferred to use split DNS instead of relying on reflection. Your internal devices should be talking directly to the internal IPs of the services, and not using the public IPs. There is more info on the doc wiki (check the link in my sig).

ok, so nat is definately working, as i can see the IIS splash screen when I enter the ip address

i have turned ha proxy off for now.

any ideas why the dns wouldn't be resolving? the www.domain.com is set to resolve to the ip address, which is nat'd to the internal box

what should i check?

ok, sorry for the fuss, turns out my ISP was blocking port 80 DESPITE having a high level business connection!

a FYI for the future if nmap shows your ports as being filtered this could be as a result of ISP level port blocking!

thanks for the help! :-)

I had already put one manual nat in there which stopped the auto nat rules from being turned on. Deleted that and switched to AON and it worked fine.

Thanks

10x, I will try that and let you know if it works of not. :D

Well.. after screwing around for several days.. still no real luck on getting this done the right way…
To bad.. cause i really liked all functions.. but really.. their useless if their not reachable by local LAN and only External people.

So we went looking for other projects.. ended up with Endian where this problem is solved by 4 clicks:

Source nat (outbound) tab:
Source: 192.168.0.0/24
Destination (interface): GREEN
NAT to: Auto
(the last one is normally the external ip for all other outbound rules)

So for a future request: please add something similar or effective for inbound traffic.
As in the end.. clusters.. clouds..Active directory and actually nearly every service these days should be DNS based.. which no one with a larger network will split up with inbound and outbound dns etc etc and most functions of PFsense --> ARE for larger networks so this is kind of a real miss if you ask me.

Regards,
Marco

Follow this tutorial

http://forum.pfsense.org/index.php/topic,13887.msg74010.html#msg74010

Only issue I've seen with this setup is to be sure to not turn on both XBoxes at the same time.  Turn one on, log in, then turn on the other.  When I turn both on at the same time I  run into a login problem but I believe that's a limitation on xbox live servers, not pfsense.

hellllp

What are you trying to do - reach services on that remote LAN? If so all you have to do is forward the relevant ports for each service.

Hi guys,

I've finally had a chance to test my theory, and not entirely surprisingly, it doesn't work.

What I've done is this:

Network A - Router A: 192.168.69.0/24 - 192.168.69.1
Network B - Router B: 192.168.150.0/24 - 192.168.150.1
Network C - Router C: 192.168.2.0/24 - 192.168.2.1

IPSEC tunnels exist and work from A - B and B - C

So, on router A, configure second phase 2 IPSEC under A-B phase 1 ipsec to go from local(192.168.69.0) to 192.168.2.0.  Configure matching phase 2 on router B for B-A's phase 1 for network 192.168.2.0 to 192.168.69.0.

Bring up phase 2.  Check all works and VPNs all still ok from A - B and B - C.  All good, we haven't broken anything yet.

Add manual outbound NAT on router B for LAN interface for source 192.168.69.0 to SNAT to 192.168.150.1 (interface address), so that traffic coming from the VPN looks like it is coming from router B.

Check SNAT working by SSH from 69.(x) to 150.(x) and run "who".  It shows my connection appears to be coming from 150.1.  So SNAT is working.

So, on router A, configure route: 192.168.2.0/24 via 192.168.69.1.  This is probably unnecessary as 69.1 is the default route anyway, and I would hope at this point 2.0 traffic would be routed over the new phase 2.

So at this point, I'm hoping that traffic from A destined for C will hit router A, travel over the tunnel, get SNAT'd to B's address and B will then reroute the packets down its VPN to C.  The destination on C will send responses back to router B, which will undo the SNAT and route the traffic back to its origin via the vpn from B to A.

But this doesn't seem to be working.  I get no responses from remote servers on the 2.0 subnet from the 69.0.  I'm just about to try some packet sniffing on the target server, but I suspect it is not getting this far.  If it was, I can't see a reason responses wouldn't be routed back to 150.1.

So what I think must be happening is the packets which are going through the SNAT are not entering the stack again to be rerouted.  This is where I get rather hazy - it's some years since I used iptables on Linux in anger, and I have almost zero knowledge of the network stack in BSD.  So I don't know if what I'm trying here is physically possible on pfsense.

Any guidance here would be great - even if that guidance was simply "give up" - though I'd love to understand why this wont work.

Thanks,
-Oli

@chpalmer:

For your second issue…

Two ways to do this.   Go to System/Advanced/Firewall-Nat/

Go down to "Network Address Translation"

Uncheck the "Disable NAT Reflection for port forwards" box.

Or if your using 2.0

Go to Firewall/NAT open your port forwarding rule you want and at the bottom "Nat Reflection"  choose your option...  System default refers of coarse to the above...

Hey that was perfect–thank you for that.  I never would have thought to look for that option.

What version number of pfSense are you using?