@bobvan:

On one hand, I like the UPNP approach because it should only open what's necessary when it's necessary.  On the other hand, it's a license for any rogue bit of malware on my network to open anything it wants.  (Thankfully, I seldom run Windows.)  If I get UPNP working, I should probably add firewall rules that allow only the XBOX to talk to miniupnpd.

This is a common misconception that doesn't stand up to analysis.

The fact is, if you have malware on your network, on a typical firewall it's fully capable of opening up any outbound connections it wants. UPnP does allow it to open up inbound ports too, but only in a limited way. Is there anything that can be done with a upnp inbound connection that couldn't, technically, be done through an outbound connection? No. In fact it's probably far easier and less likely to be detected (and certainly more reliable) for malware to create vulnerabilities through initiating outbound connections and local network sniffing.

The reality is in a lot of cases UPnP is a lot more secure than alternatives like static inbound mappings as the ports are only opened when required. They are also (if the upnp IGD is capable) loggable and monitorable.

Sure, you don't want UPnP on a typical corporate network, but there's certainly a big place for it on home networks and even SME networks.

Cheers,

Keith

@mickrussom:

Is there a way for the public to file bugs?

You can create bug tickets at http://cvstrac.pfsense.com/ but pleaso only file tickets when you are absolutely sure that you found a bug in the LATEST version or after you have been told by one of the devs to create a ticket. First discuss at forum or mailinglist to make sure the problem is not caused by misconfiguration or whatever.

Problem solved. Thanks

Make sure your dyndns update was successfull. Also are you talking about portforwards you created at WAN or to access directly to the pfSense? If you try to reach portforwards you need to enable nat reflection at system>advanced (very bottom of the page).

Do you see the traffic being blocked at status>system, firewall? Also what gateway do the clients at the bridged OPT1 use?

Yep, that fixed it, thanks :)

i have proxyARP virtual IPs. i couldn't configure basic port 22 forwarding from
ProxyArp ip into OPT1 interface.
i need 1:1 NAT anyway and it is working now including ping (ICMP).
How does it work? or it shouldn't work and I have to use CARP?

Use a split DNS setup.

ygm

Nevermind…. When I first tried this I didn't have pasv_address defined at all in the config. pftpx does translate it. I set pasv_address=10.10.1.15 the internal ip and it works great both internal and external.

Confusing as I swear it didn't work before.

So is your bogus bug report.

FYI, Enable filtering bridge is now checked, and rules added for the OPT1 interface. Everything seems to be working fine now… What a headache...

Yes, that was fixed.

i will try to get more information from them, maybe they can clear this up.

thanks for your help!

Looks like you rather want a multiwan setup than some freaking nat settings. I suggest searching the forum as this is a hot topic at the forum. Additional to this you can use advanced outbound nat to make some special things working (if it doesn't work right after setting up multiwan).

No documentation yet on this, feel free to write some.

Dear Tomba,

you are setting things up wrong. I have FTP as well as other services working at OPT-Interfaces forwarded from WAN and I also configured an FTP-Server for someone at IRC that was reachable from OPT-WAN.

I suggest you get to IRC this evening and try to contact me there. We can try to make it work together by remote administration.

@BugeyeD:

i see BLOCK/DROP rules here, none of which are being logged. i do understand why they are there and what they are trying to protect against. what i noticed as being odd was that WAN (em2) is not represented here, whereas OPT1 (em1) is. so naturally i have to wonder if packets are getting dropped at OPT1 and not on WAN, thus breaking failover on OPT1 but not on WAN. but since logs are not being generated i can't tell for sure.

updated to the new snapshot, still have the same situation and therefore the same question.

I updated to this latest snapshot and then tried to monitor my server via Server Watch
and Qtracker and it still can't connect to it. It appears as though it is still not reflecting
the UDP correctly at least for Quake 4.

You always need a VIP to make use of additional IPs on an interface. It won't work without. This is something that is different from m0n0.