Thanks for your help, I'll give this a go…!

what doesn't make any sense is why when he shows the rules there is no dst port in it.. So I just fired this up as quick test… I forwarded 4000 to 22, then validated that when I check 4000 it shows open by sending traffic to my box on 22..  You'll that the firewall rules show 22 to my 192.168.9.7 IP.. The nat rules are evaluated first, and then it hits the firewall rules from my understanding, so that actual dst port needs to be open. Looks like to me there is UDP traffic to 7999 as well.  What is the point of the redirection??  Why don't you just forward port 8000 in??  Its not like you have any other ports being allowed on 8000 so you have to use a different port. [image: rulewrong.png] [image: rulewrong.png_thumb] [image: redirectportforward.png] [image: redirectportforward.png_thumb]

@KOM: Everyone: The use of terms of endearment are common with speakers from the Middle East.  While they may appears out of place to us in a technical discussion, please don't mock them for it. Noted. Though in truth I thought this was more a Google-translate error and was really gently mocking what I thought was a technical mishap on their part.

@johnpoz: Because your inside your network.. You need to TEST port forwards from OUTSIDE your network.. Thank You Already Tested and Working!

I think the best you might do is to link the NAT's firewall rule to a schedule.

did you forward these ports https://doc.pfsense.org/index.php/FTP_without_a_Proxy

@kaotiklabs: Seems a good idea but RTSP seems a tricky protocol and I dont really know if its possible. which kind of proxy should I use? must be an specific one for rtsp? There are plenty of proxies if that's the route you want to take. HAProxy and Pen are two I can think of off the bat. Or there's ZenLoadbalancer if you don't want to do too much command-line work. I've used proxies for web traffic, ftp and even SMTP traffic so I would think it could handle RTSP, though I haven't tried it with that specific protocol before myself.

I'm surprised it let you do this. 192.168.0.0/24 and 192.168.0.0/18 overlap, a good router should balk at this. /18 is a 2/6 split of the third octet, IOW 192.168.0.0/18 is 192.168.0-63.x. You have a really big network there, 16K hosts. If you really want a /18 and want to use 192.168 for it while keeping 192.168.0.0/24, then you should make it 192.168.64.0/18.

It's all in here: https://doc.pfsense.org/index.php/Upgrade_Guide

And how its it going?  Where you dont use the same network on both sides and just let pfsense use its own network behind and nat?

Hi. Yes you were right. The 1:1 NAT made that the pfSense map the traffic with the IP of the NAT. Instead I use a port forwarding from a WAN IP to a LAN IP, and a outbound rule to the IP address of the WAN interface. ;D Thank you for your help.

Have you been looking at the trafficflow using tcpdump on site B to see if requests reaches the server and what happens when the server responds ? Syntax in shell: tcpdump -i LANIF -n host externalclient Where LANIF should be replaced with whatever interface on pfSense your server is connected to and externalclient replaced by the IP of the client on the internet trying to reach the server. If you don´t see any responses from server here, then try to change LANIF to what corresponds to your WAN interface and try again. If so you might have a case of what is called asymetric routing, ie. client on the internet surfs to your public IP on site A, traffic flows over to site B though IPSec and eventually reaches server on site B. The quirk is that server on site B cannot find the client IP in any routingtable except default route and that points out through WAN interface of site B. In that case you´ll have to rewrite the sourceaddress at site A.

I think you're right. I've been watching the logs and everything looks good now. I think there was an alert that triggered the blocking of the SIP provider which also caused further traffic to be dropped. I'm not sure which rule caused the blocked at this time but I am keeping an eye on it. I tried whitelisting an alias which contains a list of IPs that we frequent but snort throws a fit with the alias whitelisted. Anyhow, it seems to be working atm, but I am watching it. Thanks for replying.

If you have the ability to switch it to bridged then that's the preferred solution over double-NAT anyway.

Rtp needs open ports for the return traffic.  Rtp.conf on the asterisk server is where you can define a range of ports to use such as UDP 10000-20000 . Then in pfsense create a WAN rule allowing the range in to your asterisk server.  This is in addition to 5060 for the SIP session and the NAT rule.  If both sides are behind NAT you will need a STUN server to assist with the connection I believe. http://linuxjournal.com/article/9399

@KOM: Thanks but I'll keep playing with the other two for now.  LibreOffice Draw is already on my home box and it seems to do the job.  Getting decent network image templates was the stickler, and the VRT stuff seems good enough to me. LibreOffice Draw + VRT is what I use for the diagrams in the pfSense book (now, as I'm updating it), and other places like the Hangouts. Not sure if I've moved any over on the Wiki  yet. They are nice shapes with a permissive license so there are no concerns with using them in published diagrams, too. LibreOffice Draw has lots of room for improvement but it's not too bad these days.

No you do not need to remove the auto..  You need to make sure that the webserver talks back out the same IP it came in.

Haha yes. I think i dodged a bullet here :o

"exampletwo.domain.com that needs to go to 10.x.x.x/user/service" Sorry but firewalls don't do that kind of forward… A reverse proxy could do that sort of forward.. Use a reverse proxy package on pfsense if that is the sort of thing you want to do.