Test-system: WAN: 192.168.20.5/29 LAN: 10.0.0.0/24 Server: 10.0.0.12 1: create VIP. 2: create 1:1 mapping 3: create firewall rules on LAN and WAN to allow traffic from and to the server IP. [image: carp.jpg] [image: 1to1.jpg]

The standard command port is 22. You will need to look at your cerberus config to find out which range it uses for data.

But if you already have multiple names, shouldnt you be able to distinguish them by this name(IP?), and just make some destination-based rule decisions? Yep, the trick is ascertaining the hostname that the client is requesting.  (We can't turn the problem around and do it based on the client IP as these people travel).  If it were simple HTTP then we could use the inbound load-balancer (I think) but since it's direct RDP we're trying to extract the same data from the RDP session instead.

This is sourcebased nat. This is not possible currently.

Comcast is blocking pptp.  I went to the customer remote site and connected perfectly. Thanks for the help

Turned off ftp-helper on all interfaces and added a port forward on the lan inteface for ftp port and a passive range and it works great :), thx.

0.0.0.0 & 10.122.17.x - external to your network?

Looks like that will solve the problem just fine. Thanks hoba!

Thanks  :)

oh my god… that did it!!! this simple thing took me several hours, very much coffee and much more cigarettes... ;) thank you very much!!!!!! regards, sebastianus

Unfortunately, those servers behind pfSense Box are not able to set default gateway of 192.200.9.7. Due to this problem, I'm planning implement a Reverse Proxy (Pound) after pfSense box. From my noob understanding, with reverse proxy attached to the network, default gateway(192.200.9.7) is not required to be set on those servers…. am I rite??? ??? ??? Thanks for feedback...!!

HOBA, as always, thanks again as you resolved it for me.  From what I just experienced, pfSense is much "pickier" than something like Linksys.  All this worked using Linksys - even with changed RDP port on client machines.  pfSense is however, also MUCH more flexible.  Your advice on not changing default port in the RDP example was right on.  I changed all my LAN workstations back to default 3389 and just did NATTING of the port externally.  Not only is this less administration on each workstation, but it is also much cleaner. I also learned that maybe ports below the 1024 (e.g. 0327 in my case) does not work, so use above that as you suggested and it worked!  Maybe it is a pfSense or BSD thing, but it is just something to remember. Thanks again!

that makes sense now, I was certainly still using NAT 1:1 at that time without reverse-proxying the ftp server. thank you!

Check http://devwiki.pfsense.org/PfSenseDevHome for some developement related info. Also Try to learn from one of the other packages. You can check them out here: http://cvs.pfsense.org/cgi-bin/cvsweb.cgi/tools/packages/

No, I can't I don't have the old wrap board anymore. And yes, I'm running the "new" ALIX board.

Hello, I work in a spanish University. I have a network topology like yours, with now, everything working. If you still need help, I can help you. Bye

@GruensFroeschli: I would use 1:1 NAT only if you need a really large amount of ports on a server. For everything else i'd use normal forwardings. For the FTP to work correctly hoba wrote in several placed how to do it right (like here: http://forum.pfsense.org/index.php/topic,8464.msg47487.html#msg47487 ). If you use 1:1 NAT you can no longer use the IP for other "normal" forwardings. Or is your question if you can use 1:1 NAT for some IP's but normal forwardings for others? –> yes. Are all the FTP problems faced when accessing FTP from Internet?  I did not do anything besides the stock settings and yet, I have no trouble with secured as well as unsecured FTP using an IPSEC connection or PPTP connection over the internet. Thanks

ok thanks, i will give it a look this weekend.

This is not doable through the gui currently (not sure if it's doable at all).