That is a bit of a tricky situation - for NAT to allow the service in, you need to set the firewall rule to allow traffic to the target system's real port, which is 22. Because that IP is routed, and not really NAT, it still exposes the 'real' service.

Hiding ports in this way only works if NAT is done for the whole IP - not routable, not 1:1.

In your case you'd have to change the sshd config to listen on 1111 if that's what you really want.

@maschimidt:

@submicron:

This is exactly the problem.  You're using the wrong gateway.  Fix this.

Ok, I'll try and give a return

Hi Solved Problema…

:)

An update after some debugging… It seems that my rules are reloaded instantly after a change has been submitted, but it takes nothing but 5 full minutes or more to execute the filter_configure_sync() php command which is being initialized by the check_reload_status.c file ..

Any guesses to why it takes 5 minutes to reload my rules? Config file is 104kb, I have 325 rules (nat and firewall rules together) and 27 VIP's.

EDIT:
3 hours of debugging and a lot of coffie later I found the issue.. It seems my CARP sync was not working. After I edited rc.filter_configure_sync to show some microtime of how long each part took, it was clear that my CARP sync was the issue. Disabling this fixed the issue - now it reloads new rules very quickly, very neat.

Today's lesson: Lean to fix your own errors... :-)

Thx to jimp for helping! I gained a lot of nice knowledge about pfSense in the process.

Please read the threads on XBox360 and UPnP in the gaming forum regarding that OPEN/STRICT issue. Port forwarding, non UPnP, works perfectly with pfSense.

A few builds later, it's now ok…

I believe on 2.0 you can just make one entry that has a subnet mask and it will make an entire subnet's worth of 1:1's at a time.

So if you had, say, a /23 (510 usable) you could make a single 1:1 entry and be done.

You could download the config.xml, look for the NAT part and copy/paste as many entries as you need.

@cmb:

@CrashOverride:

No solution for this issue ?

NAT reflection is the solution, or don't query it internally by its public IP ideally, routing traffic back in like that is ugly. It's possible if you have the local DNS forwarder enabled on the firewall it will interfere though I'm not 100% sure offhand on that, if you have it enabled try disabling it.

Now: DNS Forwarder is Disabled and "Disable NAT Reflection" is not ticked.

Then I can access my local webserver by using the External Address, but I can't access the local DNS server by using the External Address

If I have: DNS Forwarder is Disabled and "Disable NAT Reflection" is ticked.

I can't access anything on there external address

@j.smith1981:

Wonder why it won't work on the WAN port, any suggestions at all?

Because it treats that like an Internet connection, won't pass traffic into the LAN.

As I suspected, my ISP is blocking ping. Thanks for the help.

David

Nothing terribly wrong with using NAT Reflection for a couple ports here and there. It just doesn't scale well for larger purposes.

Download snapshot from 18 jan 02:47.

It was the first beta that worked for me regarding NAT reflection….

There is no "natd" in pfSense. pfSense uses pf, which handles nat internally, not via a NAT daemon.

When a new IP is received, the system updates with the new IP and reloads the firewall rules, nat, etc. The old IP is not retained.

Awesome, I'd never think of that. Working wonders finally.

Port 80 was the only one I had with "any" for some reason.

Thanks a lot. =)

Thanks for your comment.

Yes, hostbased ports would probably do the job - although I'm not completely sure, if there are multiple connections from one inside client to various shares on the same outside server, they should be mapped to different originating ports, I believe, and I wouldn't know how to handle that.

Anyway, all that requires much more insight into IP than I have. After some research, it turned out that most of the shares I need are also exported as samba shares, I use that instead of NFS now, and it's working reasonably well.

However, I believe that this is quite a common problem (since VMware has the simple options for it). Would be great to see a better solution than move to a Windows implementation.

Thanks, Frank

I may add that Asterisk (and Elastix 2.0) work fine using a port other than 5060. This might also be a solution for you.

all ip addresses are static bound to all machines. and they run all the time. the 10 dot ip addresses work great all machines can talk to eachother from one lan to the other, active directory updates from one lan to the other, just cant figure out how to make the 2 boxes talk. but every thing seams to be working fine i just need to update everything twice in both boxes.

Thanks for the help

shammins,

with your gateway set to box b can you do a simple telnet from box b on port 25 to box x ( mail server)?
you should try this to see if you are getting at least one way communication.

If you can get a telnet connection try and do a telnet email send to your email server/ box x from box b and see how the email fails in this scenario.
This will eliminate a few things to narrrow things down a bit.

BC