http://forum.pfsense.org/index.php/topic,7001.0.html

Is it possible to assign addtional IP Adresses in a range vi CARP; f.e. 10.10.22.0/25 ?
Can I use all the adresses in this range for 1:1 NAT using there the same mask ?

FBI01

You've set as source port range por 477.
Meaning if a client should be able to connect he has to connect FROM port 477.
This will never happen.

Set the source port in the firewall-rule to any and it should work.

I'm french and I started a new topic into the french section of the forum.

http://forum.pfsense.org/index.php/topic,11104.0.html

If they did a static mapping, then you should be able to manually configure your nic with those parameters, it doesn't matter if you get the ip address from the DHCP or if you configure it manually, as long as you make sure that you doesn't setup an IP address that might be used elsewhere, if they did a static dhcp assignation that means that only you can get that ip address, you should be good to go in manual configuration. Unless your ISP have some sort of weird setup that would prevent you to make this, but I doubt it.

MageMinds

Thinking it out I think 1 Inbound NAT rule will suffice.  I will test this once I return to work.

Thank you so very much for your quick responses, you have helped me out so much.

That's only partially true.
You can force traffic from specific clients out a VIP with AoN rules.

But 1:1 NAT is bidirectional. Meaning if you use a VIP in the 1:1 NAT rule you dont need additionally a AoN rule to force it out the VIP
–> This already happens automatically. Otherwise it wouldnt be 1:1 NAT.

If you use normal NAT forwardings from a VIP, you need AoN rules for outbound traffic if you want it to appear from the VIP.

So, I changed physical networks over, and things didn't seem to go as smoothly as I had hoped.

when I physically separated the servers from the real .1.1 gateway, things appeared to work.
I had set up individual firewall rules for each server to pass all packets in the WAN & out the LAN, and I could ping them from the rest of the world.
However, they could not ping out. (or pass any traffic out)

However, if I change their gateways to be the pfsense box (.1.2) then they can pass packets out & things appear to be properly filtered coming in.

am I just crazy? :-)

Thank you!

While it is possible to manually add rules to the firewall from the shell, it is a very bad idea. Stick to the web interface. If you are interested in the mechanics, this is a good place to start: http://home.nuug.no/~peter/pf/en/

There is no port forward involved here …

To access the DMZ you only have to have a firewall rule that allow your LAN to communicate with your DMZ and since it's a DMZ you might want to restrict that access to only specific ports to specific server in the DMZ, but there is NO NAT involved here ... Only firewall access rules ... For starter create a rule that allow everything from LAN to DMZ, usually there is a default rule in pfSense that allow the LAN to do anything, go into the DMZ firewall rules and create a similar rule to allow it to access anything...

I think that could be done using twice the hardware … You will need two sets of pfSense to make it work ...

LAN1 <-> pf1 <-> pf2 <-> Internet <-> pf2 <-> pf1 <-> LAN2

The two pf2 establish the VPN and the two pf1 will be configured to route traffic into the VPN.

Please note, that I haven't tested of tried that, this is only an idea to make this work, but there's no guarantee that it could work...

If the problem is that the trafic get into the VPN before the NAT in FreeBSD, the idea is to force the NAT before the VPN using a different router.

Hi MageMinds,

Thanks for your post - enabling NAT Reflection solved the problem!

Regards,
James.

Did you change the sip.conf on Asterisk server to match the externip=ww.xx.yy.zz setting to your static ip address ? If not you should remove externhost and replace it with externip.

Then I have more luck forcing static nat in the Outbound NAT settings on the pfSense.

Here my config, the first line tells the router that my Asterisk Server need static nat the second one was auto generated by pfSense, and the third one is only a copy of the autogenerated one to allow my WLAN to NAT.

Here you can see detail of the configuration of the NAT for my Asterisk server located obviously on 10.77.2.5

You can't disable the filter without disabling NAT, they're done by the same thing. If you don't want to filter traffic put allow all rules on all your interfaces.

If you need to do so in the future, follow the steps here.
http://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

SOLVED ! BUT ….

I made a mistake on firewall rules, allowing subnet 2 traffic on the wrong interface (I have a third OPT LAN interface on the border pfsense) The showed setup is OK, but I have found another problem (It seems to be a known issue) : Traffic shaper doesn't work when Squid on transparente mode is enabled.
Searching the forum I cannot find a real solution.

Any suggestion?

Yes, here are some images of the how it looks in the WebGUI:

http://www.pr0p3r.net/img/dump/1.gif
http://www.pr0p3r.net/img/dump/2.gif
http://www.pr0p3r.net/img/dump/3.gif
http://www.pr0p3r.net/img/dump/4.gif

Maybe it helps you? ;)

edit: no other router before CC. Berfore I had a router instead of CC but I was not happy with the statistics and other things when I used that one.

edit2:
When i was in the logs for the firewall i got this (when I clicked on one of the red-cross)
http://www.pr0p3r.net/img/dump/5.gif

Thats wrong?

@GruensFroeschli:

You can use aliases in all field with a red background.
So yes you can use aliases in the normal port forwardings.

Advanced outbound NAT is the "outbound" tab.

Thanks Gruens

In case this helps anyone - I did not have any issues going from ProxyARP to Carp type of virtual IPs.

But when I switched back (because I never could get the FTP helper to work), the Cisco router did NOT pick up on the new MAC address, and traffic wasn't being routed properly.  I had to call my ISP and have them clear their ARP cache for that particular IP.