You probably have NAT reflection enabled and didn't properly setup the NAT port forward.

See here: http://doc.pfsense.org/index.php/Why_does_enabling_NAT_Reflection_break_web_surfing%3F

I tried, allow all already but still the same.
Seem likes Pfsense do translate the source ip to the squid ip (nat)

Here is the log

1290995342.128    75 10.0.10.3 TCP_MISS/504 1881 GET http://thoisuso.net/chuyen-xe/xe-nguoi-dep/nguoi-mau-o-trien-lam-essen.html - DIRECT/27.0.14.21 text/html
1290995343.950      2 10.0.10.3 TCP_NEGATIVE_HIT/504 1887 GET http://thoisuso.net/chuyen-xe/xe-nguoi-dep/nguoi-mau-o-trien-lam-essen.html - NONE/- text/html
1290995344.470      2 10.0.10.3 TCP_NEGATIVE_HIT/504 1887 GET http://thoisuso.net/chuyen-xe/xe-nguoi-dep/nguoi-mau-o-trien-lam-essen.html - NONE/- text/html
1290995344.703    57 10.0.10.3 TCP_NEGATIVE_HIT/504 1887 GET http://thoisuso.net/chuyen-xe/xe-nguoi-dep/nguoi-mau-o-trien-lam-essen.html - NONE/- text/html
1290995344.830    19 10.0.10.3 TCP_NEGATIVE_HIT/504 1887 GET http://thoisuso.net/chuyen-xe/xe-nguoi-dep/nguoi-mau-o-trien-lam-essen.html - NONE/- text/html

External squid with pfsense still not work right.  :'(

http://doc.pfsense.org/index.php/FTP_Troubleshooting

Hi, yes i will but i'll need a bit of time to get all the infos from the configuration.
Thank you very much for your interest in our problem.

OK the information on the 2 firewalls and the network:
** They are linked with a Site-to-Site VPN, and a MS Domain is working through it (not sure if this is important)

The main Firewall:
   - 2 interfaces: WAN(static ip) and LAN(No bridging, 192.168.3.100/24, Disable the userland FTP-Proxy application)
   - Firewall: only configured rules as:
       LAN: pass (there was a second network but it is no longer so this is kind of useless)

| * | LAN net | * | 192.168.1.0/24 | * | * | | to 192.168.1.x |
| * | 192.168.1.0/24 | * | * | * | * | | 192.168.1.x subnet |
| * | LAN net | * | * | * | * | | Default LAN -> any   |

WAN: pass

| * | * | * | * | * | * | | pass in all test rule |
| TCP/UDP | * | * | * | 443 (HTTPS) | * | | Allow TCP/UDP to OpenVPN Server Port |
| TCP/UDP | * | * | * | 1191 | * | | Allow TCP/UDP to OpenVPN Server Port |

PPTP VPN: pass

| * | PPTP clients | * | * | * | * | | allows incoming PPTP   |

IPSEC: pass

| * | * | * | * | * | * | | Permit IPSEC |

Services: default
Enable DHCP server on LAN interface: FALSE
Subnet 192.168.3.0
Subnet mask 255.255.255.0
Available range: (192.168.3.0 - 192.168.3.255 ) - default readonly

VPN:

IPsec
Tunnels: Enabled IPsec
Mobile clients: Allow mobile clients:FALSE (basic config) PPTP: Enabled PPTP server
Server address : xx.xx.xx.xx
Remote address range: 192.168.50.x/28
….
WINS server: 192.168.3.128 OpenVPN : Server
1. No TCP 192.168.10.0/24 ovpn
** For external connections via OpenVPN client application
Protocol: TCP
Dymanic IP : true
Local port: 443
Address pool: 192.168.10.0/24
Local network: 192.168.3.0/24

Cryptography: BF-CBC(128bit)
Authentication method: PKI

DHCP-Opt.: DNS-Server: 192.168.3.128

Custom options:push "dhcp-option DNS 192.168.3.128";push "dhcp-option DNS 192.168.3.129";push "dhcp-option WINS 192.168.3.128"; push "route 192.168.9.0 255.255.255.0";

2. No TCP 192.168.11.0/24 Office 2 Server
Protocol: TCP
Dymanic IP : true
Local port: 1191
Address pool: 192.168.11.0/24
Remote network: 192.168.9.0/24

Cryptography: BF-CBC(128bit)
Authentication method: Shared key

DHCP-Opt.: NetBIOS node type: none

LZO compression: true

Description: Office 2

ALL THE REST THAT ARE NOT DISPLAYED EITHER ARE NOT SET OR DISABLED

The client, office 2, Firewall: System: there are 4 static routes, like 160.58.134.x, which point to the office 1 firewall 192.168.3.100
   - 2 interfaces: WAN(static ip) and LAN(No bridging, 192.168.9.100/24, Disable the userland FTP-Proxy application)
   - Firewall: only configured rules as:
       LAN: nothing
WAN: pass

| TCP/UDP | * | * | * | 1191 | * | | Tunnel |

Services: default
Enable DHCP server on LAN interface: TRUE
Subnet 192.168.9.0
Subnet mask 255.255.255.0
Available range 192.168.9.0 - 192.168.9.255

VPN:

IPsec
Tunnels: Enabled IPsec: FALSE (not enabled) PPTP: Off OpenVPN : Client
No Firewall_1_WAN_IP TCP  Tunnel Connection 2 Office 1
Protocol: TCP
Server address : Firewall_1_WAN_IP (xx.xx.xx.xx)
Server port: 1191
Interface IP: 192.168.11.0/24
Remote network: 192.168.3.0/24

Proxy port: 3128

Cryptography: BF-CBC(128bit)
Authentication method: Shared key

LZO compression: true

Description: Tunnel 2 Office 1

The rest is common configuration, default.
So there is the office 1 network and the office 2 network, and then there are the ones for Site-to-Site VPN (192.168.11.x) and the one for the exterior VPN connection (192.168.10.x) - in which the clients can see each other even if they are in Office 1 or Office 2, what and where should I add a routing for the Office 1 to see the Office 2 clients?

Note: No client from the office 1 can access the network at office 2 and no client from the office 2 can access its network mates if they have activated the OpenVPN Client App (which connects to the Office 1 VPN 1)

Thank you very much

@jimp:

It should be considered the same, using only those specific ports.

Well I appreciate that answer and one would think they would being a firewall system but also being with such trust is invested I just felt the need to ask first.  Thank you.

UPDATE:
Well I received an error when I tried the NAT port alias…hmm...same format as the other ports but when I removed the individuals and added the port alias it all screwed up.

It was changed to destination address.

Ok here was my solution, dreamslacker's method worked for me.

It was timing out before because the firewall rules got messed up. It was opened for another interface. anyway, it was just carelessness on my part.

Interface OPT2
Source Addr *
Source Port *
Destintion Addr OPT2 Address
Destination Port 80(HTTP)
NAT IP 192.168.1.10
NAT Port 80(HTTP)

Then choose "create associated firewall rule" so it will automatically create a firewall rule for you. Otherwise you can manually create it.

I also did this for OPT1 and WAN, so I have 3 internet IP's port forwarding 80 to the NAT IP.

My next step is to point my DNS Host(A) to these IP addresses, that should, in theory, leave me with redundant IP addresses for my website.

I'd like to get a detailed explanation also, as I've got the same problem.
Thnx in advance.

Hi,

as I expected - creating dedicated Postfix replacing the second instance on the first server solve the problem (the ARP entries on pfSense for [192.168.100.5] and [192.168.100.12] are now different).

However, I still do not understand the principles of how pfSense is building an outgouing NAT. Jimp, please, can you explain int for me?

Thanks!

Thank you, this worked! (Static port) ;)

So I attempted to disable the 2 NAT rules to the physical static addresses and I am still having the problem, I am using Manual AON and when i change it to Auto IPSec passthrough i get the speeds back…. It is only affecting download speeds not upload.

@ee99ee:

I'll install siproxd this week and we'll see if that works.

If you do, make sure that you configure siproxd in-line with this thread: http://forum.pfsense.org/index.php/topic,10084.0.html

Specifically, I had to enter all information stated by Sammy2000 here:

There is a little pitfall about configuring siproxd. You need to enter the following information, at least this is working for me…

Inbound interface
Outbound interface
Listening port
Enable RTP proxy
RTP port range (lower)
RTP port range (upper)
RTP stream timeout

If you dont have any special needs, just go with the defaulst and you will be fine...

Actually that was all I needed - but I entered that information even if it was the default. The only thing different from the standard was my RTP range - due to a relayed AVM Fritzbox that handles the ISDN phones here and converts them to SIP. Used defaults for the others.

[Edit] Or so I thought. Certain Voip phones could not get through though (initially tested wit mobile and funny enough that always worked). Solved by adding firewall rules to allow what's needed (SIP and RTP range for my box) - and now I'm fine for all calls.

rules.png_thumb
rules.png

Go to:  http://< ip of netgear here>/setup.cgi?next_file=mode.htm

Select 'modem' from the drop-down box and it becomes an ADSL modem bridged to port '1'.

Thank you I was hoping I did not have to do that but I will implement as you all suggested.

1)  Can you verify that the 'webserver' responds on both ports internally within the LAN segment to being with?

2)  Is the Allow rule generated under 'WAN' section of the firewall rules for port 8080?

3)  Is your ISP perhaps blocking '8080'?  Can you try changing it to perhaps, 6080 and try again?

HI,

Thanks to all for the comments and suggestions.

From that it looks like I will need a reverse proxy and a internal DNS forwarder for the MX records.

As for the other ports I will manage them via a "jump" box.

If any one has any other options or comments they are welcomed.

Thanks
George

I don't see any port forward entry in that list that would match your VOIP traffic.

What I was wanting to see was the port forward entry you had that would redirect your phone traffic.

Cool.