• N00b help with NAT

    Locked
    11
    0 Votes
    11 Posts
    8k Views
    T

    Well after several hours with tcpdump I finally got it running.  The issue was my DSL modem.  It's a D-Link DSL-502T, I don't recommend it.

    I tried using PPPoE on pfSense to authenticate as it seems some people have had success authenticating against an actual PPPoA authentication.

    I had to set the modem to "half-bridge" mode as pfSense can't auth directly due to PPPoA.  In this mode the modem authenticates to our ISP and puts the public IP on the ethernet port in the modem instead of setting up a LAN.  For some reason, it was blocking responses, and there was no firewall our routing enabled on the modem.  As a workaround, I set the Ethernet to a static IP on the modem, then put the WAN port of pfSense as the DMZ until I get a new modem.  Once I did this, everything works as expected with responses routing correctly back to our ISP.

    We have a significant performance boost in our routing and NAT even with Snort running.  The box we turned into our Firewall is an old P4 2 GHZ with 1 GB of ram.  Thanks to everyone for all the hard work put into pfSense.  It's the best firewall distro I've used.

  • NAT Issue with Cisco Clean Access Agent (NAC)

    Locked
    1
    0 Votes
    1 Posts
    2k Views
    No one has replied
  • Multiple WAN IPs

    Locked
    4
    0 Votes
    4 Posts
    2k Views
    P

    Many thanks dotdash.

    It works, i already had tried a setup like the one you written, but the rule was below the auto-created.

    Many thanks and best wishes from Poland.

  • Assigning more that 1 public IP to the WAN Interface.

    Locked
    10
    0 Votes
    10 Posts
    5k Views
    dotdashD

    @eyepodder:

    I tried creating a 1:1 nat and I keep getting this error when trying to create it.

    The following input errors were detected:

    * The WAN IP address may not be used in a 1:1 rule.

    I deleted the port forwarding and outbound nat and well as the virtual IP. I get the same error with our without the virtual IP.

    Maybe it's a bit cryptic, but that error message means you can't use the WAN IP address in a 1:1 rule.
    The 1:1 must be between a VIP and and internal host.

  • Performance drop through NAT Proxy IP

    Locked
    5
    0 Votes
    5 Posts
    4k Views
    C

    Ah, forgot to respond on this one… three things:

    1)  I had messed around a bunch with the same firewall pair before starting to do performance testing and I suspect things were a little dirty under the hood.  I ended up nuking the firewalls back to the base state and things looked better, but not perfect.

    2)  My apache settings were a little weak.  I ended up making sure that I was logging to /dev/null and bumped the apache threads (I was using the worker model) up to a higher number and made sure to check vmstat on the system.  It was surprisingly easy to overload the system I was using.

    3)  ab never really panned out for me.  I ended up having a hard time getting it to really scale well.  I ended up using curl-loader http://curl-loader.sourceforge.net/ from multiple machines, and running multiple apaches behind pfSense.  The documentation was a bit sparse, but the results were more consistent and I could crush the servers behind pf.  Ironically, I wasn't able to max out pf, as I needed a few more servers behind it to max it out.  I think I was doing about 20,000 connection attempts per sec when I had to stop.  The requests were pulling a tiny "Hello World" html file, so this was opening and closing sockets with very little data in between.  I think my firewalls were at about 55-60% CPU.  I also did a bandwidth test where I pulled a 50K file over and over again and was able to max the gig link without pfsense breaking a sweat, but that's really more of a test of the NIC then the software, anyway.

  • Making outbound NAT use a specific IP with Outbound FTP

    Locked
    9
    0 Votes
    9 Posts
    4k Views
    C

    It's a VIP… Not sure where you got a second WAN from.  I've got a second firewall, if that's what you mean, but the idea is to have that IP still be active on failover, so it really needs to be a CARP VIP.  I'm not trying to load-balance or anything, just trying to dictate what IP ends up being the source IP when viewed externally.  For other protocols, I can just NAT traffic to a specific IP, but for FTP, that doesn't work.

  • NAT "any" grabs all interfaces?

    Locked
    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • IP Protocol

    Locked
    3
    0 Votes
    3 Posts
    2k Views
    P

    @http://www.iana.org/assignments/protocol-numbers/:

    50      ESP              Encap Security Payload                  [RFC4303]

    You can select ESP on NAT and Rules.

    If I misunderstood you, add a picture
    Could you be running a older version (/me thinking out loud)

  • NAT reflection broken in 1.2.1?

    Locked
    2
    0 Votes
    2 Posts
    1k Views
    I

    Okay, bit the bullet and upgraded our production firewalls to 1.2.2.
      But it didn't help.  :(
      Anybody else run into this?
      Surely we're not the first to want NAT reflection in v1.2.x …?!?

    For that matter, does anybody have it actually working? 
      If so please send me your config.xml, (offline and passwords and such redacted of course), so we can do a stare-and-compare to find the problem.  :/

  • No idea how to creating nat policy in GUI..

    Locked
    2
    0 Votes
    2 Posts
    1k Views
    C

    Does something like this attached picture not work?:

    pf-nat-config.PNG
    pf-nat-config.PNG_thumb

  • Replace Cisco Router Advice

    Locked
    3
    0 Votes
    3 Posts
    2k Views
    F

    I was wanting to do something like that but I can't recall why I didn't… But in the meantime I managed to successfully put a pfSense box between Cisco and LAN. Once again pfSense saves the day to make everything simpler.

  • MOVED: Need some help, 2 box of pfsense

    Locked
    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • HOW to add specific NAT rule??

    Locked
    12
    0 Votes
    12 Posts
    7k Views
    S

    With all of this working? I get some trouble…
    PF hangs when reloading Firewall rules (when I add some rules like NAT/FIREWALL/etc.)
    without VIP all works Fine...

    Need some advice!!!

    Also I need portforward on my VIP. It's not working! ((

  • Advice about 1:1 NAT

    Locked
    1
    0 Votes
    1 Posts
    1k Views
    No one has replied
  • Web server behind virtual IP on WAN

    Locked
    13
    0 Votes
    13 Posts
    5k Views
    G

    Usualy it is something stupid. The firewall on local web server blocked traffic.

    Everything works like a charm.
    I fwded SSH and HTTP without any problem.
    Thanks.

  • ADSL modem config page on the WAN interface

    Locked
    2
    0 Votes
    2 Posts
    2k Views
    GruensFroeschliG

    Please use the search function.
    This has been asked numerous times.

    –> http://forum.pfsense.org/index.php/topic,5727.msg34562.html#msg34562

  • Processing of aliases

    Locked
    7
    0 Votes
    7 Posts
    2k Views
    Q

    Thanks GruensFroeschli,

    I'll try with that in mind, but I think I'll make a virtual machine for this, don't want to mess with the coders again.

    If you remember anything more or find a guide or something please post it, it would be nice to fix this before we're going online with this

    Kind regards
    Quandion

  • Port Forwarding not happening :-(

    Locked
    6
    0 Votes
    6 Posts
    4k Views
    dotdashD

    I don't use bridged mode very often, but I generally plug a laptop directly into a bridged modem if I need to access it. There are numerous threads asking the same question you did. This might be a good place to start http://forum.pfsense.org/index.php/topic,5727.msg34562.html#msg34562

  • How can I limit access to a a port forwarding rule to certain IPs

    Locked
    2
    0 Votes
    2 Posts
    2k Views
    GruensFroeschliG

    firewall –> rules --> WAN
    Modify the autogenerated firewall rule for your portforward.
    Probably the easiest is, if you create an alias containing all your sources you want to allow, and use this alias as "from".

  • External Transparent Proxy

    Locked
    5
    0 Votes
    5 Posts
    7k Views
    G

    push

    :-)

    Hi,
    does anyone has a suggestion on this one ?

    I do not get a clue.

    Thx :-)

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.