It randomizes the source-port, so there would be no problem with overlapping connections. If you needed static-port, then you would probably have trouble with multiple connections to the same server. I'm not a big gamer- you might want to check out the gaming section. There's a sticky about static ports.

Do you have rules on both interfaces allowing traffic to the other LAN?  Are the clients on each LAN able to reac the Internet?

Do you really have 10.1.1.x/24 on both the WAN and the LAN interfaces of the pfSense host?

You click on "Firewall –> NAT" and create a rule.
Done.

(for gods sake. please try it out and stop asking questions before you even tired)

If I can find another machine hanging around to try that with, I will.  I can't really take this one offline and do internet stuff.  But, 2.0 is alpha…  I'm a little unsure about alpha software.

But, I have a feeling that it's actually a problem with frox re-making the connection to the client.  That's why I was looking for a source nat rule so that it could rewrite where the client thought the data was coming from.  Or, maybe even having pftpx handle that part for me.  But, can't find a way to do that either.  Any ideas would be helpful.

Thanks for the help so far!

Can you show a screenshot of your advanced outbound rules?

@kpa:

What I mean the order of the firewall rules, not outbound nat rules. Policy routing is done with firewall rules in pfSense. The outbound nat rules are used after the routing decision has been made, not before.

Gotcha, I see where I was making a mistake as well.

Thanks!!!

Andy

I've deleted all previous FTP configurations including NAT, Virtual IP and firewall rules, did a number of combo configuration before finally got it going. The following configuration did it for me:

1. Created Virtual IP based on CARP
2. Enabled FTP proxy helper on WAN interface
3. Created a 1:1 NAT (tried port forwarding, it works too)
4. Reconfigure /etc/vsftp/vsftpd.conf and enabled passive mode, defined the min and max ports and enabled port range (50000 and 51000)
5. Created a firewall rule

GruensFroeschli, sorry for the typo, too much thinking I guess  ;D , what I meant was I've created a rule to allow port 20 and 21 to be access from outside (not port forwarded).

Cheers!

Well, thanks. That works about as well as doing NAT 1:1 as far as number of connectible games (and still firewalls my the rest of my traffic)…

However, now my firewall logs are filled with exactly the reverse (lots of random incoming ports targeting 6112 on my machine that are getting firewalled). This is acceptable, since being able to access 3/4 of the games is far superior to 1/4, but I just don't understand why they have so many issues with their routing in the game.

Did you reset states or reboot? I had similar issues until I rebooted.

That would only take care of port 80. HTTPS runs on 443, in which case each client would have to be configured to your ISP's Proxy unless they do not filter port 443.

akoei,

Your WAN connection using DSL wouldn't happen to be a PPoE connection would it?  The reason I ask is because I have one site where their setup is like yours and the symptons are exactly the same as your describe.  My setup uses a PPoE dsl line for the WAN and a static ip cable modem for my OPT1 link.  I haven't had a chance yet, but if there is no fix for this, I am tempted to put swap my WAN and OPT1 connections and just put a cheap Linksys router in front of my DSL line, have it do the PPoE connection so I can use the static setup for the OPT1 link (as we cannot setup an OPT1 link to use PPoE in pfsense).

Let me know if you see any other items with this… Thanks!

Wow, sorry about the late update! You guys were absolutely right, had a higher Tier tech clear the ARP cache before moving over to the new hardware, and sure enough it worked like a charm.

Thanks for the help!
  - Adam

If both need to interact with the sender (ie, TCP) then you're going to have to write a proxy/forwarder to perform the initial receipt and then forward on multiple copies.

What rules are you talking about now?
Firewallrules of NAT rules?

As bern said: post your non-functional config.
Screenshots of the firewall-rules and NAT-rules would probably be enough.

Depends.  If you're talking about having a server listening on a range of ports (such as with VNC) then it's not that unusual, but that's usually because once something has connected to the first port then it becomes unavailable.  What you're talking about is rather different, where the clients connect to (randomly selected?) one (or more?) port from a range of ports, but the server only needs to listen on one.

Hello,
thank you for your reply… Actually I'm using this configuration because all the traffic will came in another firewall on which I manage the rights port forwardings (if I add to pfsense only the port forwarding that I needs I will need to configure this also when I need a new rule)... if you are thinking that this is unuseful you're right but I'm using this configuration because I need the two wan connections and actually I'm not ready to change the other firewall (because it is a mail gateway also with antispam and antivirus).. I know the spamd package but as I read on the forum there are some problem with it (and actually I manage 200 mailboxes in 5/6 domains).. I think that a better solution will be to use bridged mode between firewall and pfsesnse.. but I've no idea on  how can I make this with the two lan connection... and I don't know if in bridged mode I'll be able to loadbalance the two wans connection... My actually ip configration is:

PublicIP 1 --> DSL ROUTER (192.168.2.1) --> WAN PFSENSE (192.168.2.2) --> LAN PFSENSE (192.168.3.1) --> My old Firewall (192.168.3.2)
                                                                                                                        ^
PublicIP 2 --> DSL ROUTER (192.168.0.105) --> OPT PFSENSE (192.168.0.2) ------------|
NOTE: FOR THIS CONNECTION (PUBLIC IP2) I CAN'T ACCESS/MANAGE THE ROUTER THET IS PROVIDED BY THE ISP... they've configured a 1:1 natting on 192.168.0.2 for the incoming ip

Thank you for your time...

Hey,

Thanks for the input.  And, I tried it with the same result.  But, it looks like the problem might be a known bug in the FreeBSD port of p3scan.  I'm looking into trying to fix it.  Looks like the problem is that p3scan doesn't determine the original address correctly after it's been redirected using pf.  The 3.0 version of p3scan also appears to be broken for FreeBSD, as it doesn't compile correctly.

Anyone know of something other than p3scan that can scan a pop connection?

Well after several hours with tcpdump I finally got it running.  The issue was my DSL modem.  It's a D-Link DSL-502T, I don't recommend it.

I tried using PPPoE on pfSense to authenticate as it seems some people have had success authenticating against an actual PPPoA authentication.

I had to set the modem to "half-bridge" mode as pfSense can't auth directly due to PPPoA.  In this mode the modem authenticates to our ISP and puts the public IP on the ethernet port in the modem instead of setting up a LAN.  For some reason, it was blocking responses, and there was no firewall our routing enabled on the modem.  As a workaround, I set the Ethernet to a static IP on the modem, then put the WAN port of pfSense as the DMZ until I get a new modem.  Once I did this, everything works as expected with responses routing correctly back to our ISP.

We have a significant performance boost in our routing and NAT even with Snort running.  The box we turned into our Firewall is an old P4 2 GHZ with 1 GB of ram.  Thanks to everyone for all the hard work put into pfSense.  It's the best firewall distro I've used.