well, I think I got things figured out; I waited a bit after I made the port forwards; and everything works; I guess it's just not instant, is all.

The order is correct. Setting up a Virtual IP is basically telling the firewall to accept the traffic coming in on that IP. For example, if the firewall's WAN address was 1.1.1.6 and you had a server behind the firewall that you wanted to get traffic sent to 1.1.1.1, you would have to tell the firewall that it is also using that IP address. Otherwise, the traffic comes in from your ISP's router and the firewall ignores it.
See
http://en.wikipedia.org/wiki/Address_Resolution_Protocol
and http://en.wikipedia.org/wiki/Proxy_ARP

Fixed. Thanks..

OK - that was fun figuring out….  It's a squid issue.  I reinstalled everything and started from scratch w/out any packages installed.  I got everything working great and then when I installed squid all 1:1 NAT reverted back to the router IP.

So, now that I have that fgured out, is it possible to run 1:1 NAT with squid, meaning, can I 1:1 NAT public IPs to private network IPs and proxy port 80 requests through squid (and still retain the public IPs)?  I hope that question makes sense...

thx

You should post your question in packages.  To redirect only certain traffic to squid proxy you'll need to edit squid.inc by hand and create an alias that will build your table.  Take a look at this post:

http://forum.pfsense.org/index.php/topic,6439.0.html

(note that squid package was updated since above post so inc file might look a little different now)

UPDATE:

I've managed a double NAT in active ftp in some way..
I've set the "ForcePassiveIP" parameter in pure-ftpd to the external address outside the network the server is on (192.168.1.1) in order to get passive on m0n0wall working. I've now tried to set up the pfsense too, and it seems to have payed off! :) Passive FTP is working trough the pfSense box now, I'm going to troubleshoot the passive connection in the meantime..

I've testet trough SSH on an external server

server <–----------->  pfsense/m0n0wall <-------------------------> routermodem (PPPoE)
10.0.0.4                    10.0.0.138/192.168.1.1                                85.167.x.x

Like I said, this is with double NAT. I have no idea why the bridge on the modem, and the PPPoE on the pfSense didnt work. Neither how the ForcePassiveIP parameter affected the active FTP-connection with the server..

Though, it do not work through the simple external FTP-tester I've been using a lot, including the SSH ofcourse.
http://www.g6ftpserver.com/en/ftptest

To others experiencing the same issue:
Configure passive connection on your FTP-server and force the passive IP to the external IP from the network your in. (above)

Though again. This configuration may be trouble for my CStrike connection. I will need to test out that too..

enable NAT-reflection

Ok, well I'll ask this then..

How can I get DHCP on my WAN address to pass thru a filtered bridge onto both the OPT1 and OPT2 internal adapters?

Thanks for the replies. I got it working but I am not sure how. I was sniffing with wireshark and in the midst of my troubleshooting it started working. Did not change anything in the firewall config.

The router was working correctly as well. It was sending out ICMP packets that were getting a response and the ones that were not getting a response exactly the same way.

One key thing that I forgot to mention in my original post is that this is a cable connection.

Since the time the problem mysteriously fixed itself I have tore down the whole setup a couple of times and rebuilt it. And I have been able to reproduce the problem but not with consistency.

One thing I found that fixes the problem every time is rebooting the cable modem after I am done creating all the VIPs. Any VIP that did not exist when the cable modem was powered up has a random chance of working. But if I reboot the cable modem after creating the IP then it would work every time. I did not sniff the wire to see if the modem was somehow ping sweeping my CIDR block to see which IP is live and which is not. It wouldn't make sense for it to do that.

In any case, I'll post back if I find anything concrete. Right now my troubleshooting is not conclusive but at least I know how to get it working.

What a great product BTW. Very impressed.

Try this:

http://forum.pfsense.org/index.php/topic,1528.0.html

You know what, I am an stupid. I just remembered I did not tell the spacific rule itself to log, I just had logs in general on… Dohh... Anyway I am in the process of rebuilding it now due to crashing for some odd reason after the 11/6 snapshot was put on.

When I am done I will remake the rules and what not from scratch and maybe it will work now, I dont know... :)

If not I will post back with my findings as I only have one more day to get this thing working. :(

If anyone else can think of anything please let me know,

But am I correct in assuming that making the rules like I did it should just pass all traffic going to the 5 public IPs to the 5 local on the DMZ and it will be upto the hosts/devices to firewall? That is what I am after. I know I can do individual ports but I just want EVERYTHING allowed on these 5...

UPDATE Guess I am dead right now... The 11/6 snapshot is broke it seems or at least for me... Posted my problem in install/upgrades... I keep getting random reboots. So cant finish playing with this until that system stays up. :)

I am new to all this myself but my understanding, someone correct me if I am wrong, is that when it is unchecked the box makes random ports for the outgoing connections. This is more secure because say if someone was following your traffic they would get lost in it because it changes the port number.

If you check that, it will force it to use the same port number.

Some things dont like the port changing like that but a lot of home routers do it even…

Hope that helps, maybe someone will chime in if I am off..

Hello guys!
Well, I reinstalled my pfSense, and still have dual-wan configuration, but now I configured it with static WAN IPs (for WAN and OPT1).
Now everything works fine. So at this time I setted up in modem-router mode my ADSL modems  ;D
But the problem is that the modem router is not able to handle so many connections …
I plan to install 2 old PCs for router only (pfSense or other ...)
So with static WANs configuration, based on tutorials it's all OK  ::)

Your problem was not the "static port option" but more that you forgot to follow the note which is on the AON-page.

Note:
If advanced outbound NAT is enabled, no outbound NAT rules will be automatically generated any longer. Instead, only the mappings you specify below will be used. With advanced outbound NAT disabled, a mapping is automatically created for each interface's subnet (except WAN).

–> you have to add your outbound-NAT rules manually.

To avoid such problems you could create a single rule with as source "any".

Turn the static port off and see what happens. It may fix it, if those phones don't require static port. That's the only reason it would work in a default 1.0.1 and not 1.2.

So you're saying the server won't know it has any public IPs at all, it will simply have multiple private IPs?

That could pose issues as the server runs cPanel and may get confused if it's unaware of what it's public IP is. Then again it might work great. I'll have to try that, I can't come up with any other ideas…

Thanks!

Hi!
I've found that generally access to server from behind the same NAT is impossible. Does new version of pfsense solve that problem? Is it problem only with BSD or under linux is the same?

Regards,
Hans

ok then..  ???

any foolproof method to fix the FTP entry one last time anyone? :)