1.  pfSense and FTP Passive ftp using these suggestion you mentioned with NAT and rules
2.  change the settings of your ftp server to actually use PASSIVE setting (consult your ftp server vendor's manual - in my case G6ftp)

Thanks to bits and pieces everywhere on these forums, PASSIVE is Now working

NOTE:  From a security standpoint, PASSIVE FTP is more secure (thus better) because you do not have to open up Outbound ports to ALL!

Wow! User error strikes again, and I feel like a jackass for posting now. :)

I changed my IP scheme w/ this migration and forgot to change it for the virtual hosts inside httpd.conf.

…stupid.

Thanks for all the great work on this project.

Have you UNCHECKED the "Disable NAT reflection" option?

http://hightechsorcery.com/2008/11/nat-reflection-pfsense-firewall

Cheers,

Bern

I think one problem is that giving users more options gives them more opportunities to screw things up. I can see specifying the source for NAT being useful, but it would be a rarely-used option that only a handful of people would ever need. I would love to see an 'expert' box hidden under several warnings that would allow you to input raw syntax for a rule. It wouldn't have to attempt to display it, just add it to the ruleset. I have had couple of times when I wanted to do something unsupported by the GUI, like outbound NAT vs an address pool, pointing a fw rule to a custom table, etc.

I use https, so 443..

Ah, so you only have the one public IP address?

Destination port range: from: (other) 58585 to: (other) 58585

and

External port range: from: (other) 6112 to: (other) 6112

Maybe V
Destination port range: from: (other) 6112 to: (other) 6112

advanced –> Firewall Optimization Options --> aggressive

Create a new NAT Rule on the LAN Interface, ext. address any, ext. port 80, nat ip [your squid server], local port: [squid servers port] and your done.

greetz

Show the output of the routing table on pfSense and give the Pppoe server configuration and an output of ifconfig command.

with an alias you essentially create a group of hosts and bind them to an easy to remember name, say for example:  "FTP friends" and then add all the IP addresses you want to have access to your FTP.  Then when you create your NAT to your ftp, you specify the source as your newly created "FTP friends" alias.  So in the future if one of those ip addresses change, you just have to modify the alias and not the NAT rules, saving a little time.

Thanks for the reply.

I did try moving the listening port to something other than 22 and I also tried ssh -p portnumber user@pfsence.box

With both of these the session just hangs until it times out. Logging is enabled and, eventually I did see some errors from the correct inbound address:

Dec 9 17:04:38 WAN xxx.xx.xxx.xxx:4045 xx.xx.xxx.xx:135 TCP Dec 9 17:04:05 WAN xxx.xx.xxx.xx:22 xx.xx.xxx.xx:64909

The rule that triggered this action is:

@61 block drop in log quick all label "Default block all just to be sure."

If I can get my rule above this one, I might be in with a chance but I can't see it my list.

I am a bit lost. I am not sure if the issue is the ssh command, the pfsense config or a routnig issue.

What I do know is that the sshd on the internel host is not being contacted.

:-\

i found the solution.

i contact the VSAT technicians. So, we try up the topologi.

MTU is the PROBLEM !!!

so, we have to give the same MTU at the cisco router and so the pfsense, so they can communicate.

Previous setting, MTU at pfsense 1500, and the cisco router 512.
So, i set the MTU at pfsense 576, and the cisco router 576.

The technicians said, it strange. Because in cisco router, it's already been set up that the cisco router will negotiate the MTU if its below it or above it. But when trying communicate with pfsense, the policy seems not working.

But, well…it's already been solved now. It's not the NAT problem, policy problem, or anything else.
It's the MTU setting.

Thanks for all.

If anyone can give me how we can negotiate the MTU and communicate with cisco smoothly, please don't hesitate.

O.K. I solved this. Didn't have to split my C/24 afterall! I route it thru but for certain IPs i redirect the traffic with S/DNAT rules to SERV and LAN. This can be achieved with combination of different netmasks for VIPs.
So the answer to my top post is YES. :-)

Thank you all for your help. :-)

thanks

i did it last night, it works again

problem's solved!  8)

Fixed. I was using a different range in the NAT rules then what the PPTP clients were being assigned. Oops!

Do you have anything in the firewall log?

As a add to this place a rule above with the servers ip as source and tick log.
Diagnostics -> Packet Capture can also be helpful.
Did you try wget to another server?

This is how NAT works.
What you want is source NAT.

This came up once and i suggested to enable Advanced outbound NAT, and NAT from the WAN to the LAN.
However, i never got feedback if that worked
(It was just an idea, i never actually tried that)

Have tried HTTP(S), triple check the gateway and is correct host gateway is going to firewall.