Hoba,

Thanks for all your help.

It did exactly what it was suppose to.

PFSENSE is a great product!

SFM

I have that exact setup at home and even have ssh enabled at the pfSense itself. Add a log to the firewallrule that permits ssh traffic to the asterisk box. If you see a pass at status>systemlogs, firewall and also see a state for this connection at diagnostics>states the connection was allowed. Then it has to be something on the asterisk box.

Btw, make sure your rules order is correct. You can't allow a connection somewhere at the bottom of the list when you blocked it somewhere above.

Just want to say thank you for this post. I was trying to figure this one out too, with no luck.
Got my Kad in the Open state now.
:)

Create portforwards at interface LAN, destination any for these ports and forward them to the internal IP of your proxy.

Try to add pass through IPs for these hosts as well.

@SFM:

You can only forward port 80 on one server (lets say you have 3 web servers on the DMZ meaning you have 3 servers with port 80 open on each server)

I don't get that part of your question but natreflection will work for all portforwards that you add if the range of the portforward is less than 500 ports.

Both ways of NAT run through the same firewall/filter. You have to add rules to permit traffic additional to the NAT and the rules are even the same like for using 1:1 or portforward. It doesn't make a difference in security.

There is no security issue with that feature as it just enables a proxy at your internal interface to reflect the connection back to your internal portforwarded client. It puts a little bit more load on your device and uses a bit more ram but besides that there is no problem with that.

@sullrich:

#1 Make sure you are using CARP type ips for virtual ips
#2 Make sure the port forward is for port "21" ONLY

If you are on the latest version and follow the above it really should work.

Sure ?

I'm using a PPPoE connection on the WAN interface, and I can assure you that

These two ones are running after reboot (and IP 24H 'hup'):
/usr/local/sbin/pftpx -c 8021 -g 8021 192.168.1.1
/usr/local/sbin/pftpx -c 8022 -g 8021 192.168.2.1 This one won't be there (except when making an initial FTP port 21 rule in the NAT table - Apply)
/usr/local/sbin/pftpx -f 192.168.1.2 -b 82.125.93.41 -c 21 -g 21
If a FTP port 21 rule was already present, I have do remove ot before (as the 2 auto created firewall WAN rules).

Am I saying wrong, or do I miss something?
When filter.inc installs pftpx [wanIP] [lanIP]…, pftpx will bail out (visible in the system log).

Anyway, checking check_reload_status.c right now to see wo is runnig what and when.... (rather simple piece of code at first - but your baby IS complicated when you dig into it...  )

Woops.  Please test my latest filter.inc:

http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/pfSense/etc/inc/filter.inc?rev=1.575.2.262;content-type=text%2Fplain;only_with_tag=RELENG_1

I have heared people say "latest" and they were months behind…

ServerNAT is 1:1 NAT in pfSense though you also can use a combination ot portforward and advanced outbound nat to do the same. However portforwards support the nat reflection feature if turned on at system>advanced.

Which type of VIP you use depends on your needs and how your connection is set up. ProxyARP is basically the same type that m0n0 uses. CARP is for redundancy mainly but will work on a single box too. Using it's easier to add failover later. Other is accepting IPs but won't produce Layer2 messages for this IP. This usually works if your provider routes additional IPs to you without the need that the pfSense generates layer2 messages for it.

If proxyARP worked for you in your previous m0n0 setup go with it.

It already is included in the latest snapshots: http://pfsense.com/~sullrich/1.0-SNAPSHOT-09-07-06/

The option you are talking about is called "static port" in pfSense. You'll find it at firewall>nat, advanced outbound NAT tab. See http://forum.pfsense.org/index.php/topic,104.msg5876.html#msg5876 for the problem you have and how to set it up correctly.

Ok tested externally and all is working after the NAT rule is deleted!  Thanks.

The problem is not any source but the any destination that you have in your rule.

and there's no solution to use these clients form behind a m0n0wall/pfSense?

its an BSD issue, isn't it?

are there any solutions like m0n0wall or pfsense based on linux?
pfSense is really great, but i need these clients more and more in future… :(

My modemrouter was crash while connections more than 200. But work well in client pppoe dial up.

@hoba:

NAT is making problems with a lot of VOIP implementations as long as you don't have any kind of proxy or STUN server. I would suggest setting this up without NAT and simply route between OPT and LAN. If you want to add some security to your unsecured accesspoint enable captive portal at the ap interface and add the macasresses of your voipphones as passthrough macs.

Thanks for the suggestions!
Unfortunately captive portal just isn't secure enough, it would be trivial to spoof the MAC and gain access.
I'll keep playing and see what I can come up with. I still think there might be a solution with static ports, just need to figure out how that works.

At system>advanced enable nat reflection (very bottom of the page).