I tried to figure out what is wrong with double NAT and still don't see it. Perhaps there would be a problem if I had a server or ran games, but I don't. I have a few old boxes running Windows XP that I am trying to keep alive. To do what you suggest (the "clean" solution - I've already thought of it) I would first have to go out and buy a switch, which seems a little silly since I already have that on the Cisco router. Not only that. If I had to remove the pfsense box for whatever reason (it's in development after all) it would require my users to dig out the old router and re-cable it, a lot more difficult than moving a single cable as in the current setup. That's assuming they don't just cable the switch to the modem, leaving the network with no firewall at all! So the "clean" solution is actually substandard at the moment. After I get up to speed on pfsense and have some confidence in the configuration, hardware, etc. then I may go ahead and change over. I brought pfsense in because I wanted to learn it, and because my old crappy network needs a security boost.

The config should import OK unless you happen to have international characters somewhere. See http://doc.pfsense.org/index.php/Upgrade_Guide#International.2FSpecial_Characters_in_1.2.x_Configs

Need some clarification. What kind of internet connection do you have coming in?  What does your network map look like?  I'm curious as to why you're using a VIP and 1:1 NAT.  Also, to access your FTP via it's external address from your LAN, you need to enable NAT reflection. The internet connect is a basic business cable with several static/public IP's to use. I'm not sure why I'm using a VIP and 1:1 NAT, basically that is how I had it setup with my old router. [image: map.jpg] Hopefully I have NAT reflection setup correctly Besides FTP, my webserver is accessible via it's same 24.196.135.163 external ip from inside my LAN, so I hope that means NAT reflection is working. Hare are some screenshots: [image: Picture_11.jpg] And the bottom of my Firewall: NAT: 1:1: Edit screen has: [image: reflection2.jpg] The FTP Servers external IP (with a 1:1 NAT) is 24.196.135.163 and points to the internal ip of 192.168.1.243 but yet your 1:1 NAT is going to 156.46.80.243. Sorry that was an old screen shot. The 1:1 NAT is going to 192.168.1.243.

use the button in the GUI to submit the crash report and let us know the date/time it was submitted. I'm not sure why just the firewall rules aren't making it to your rules.debug, though the most likely scenario is a package hooking into the rules process that is not doing something correctly.

Yes,it's 3 physical interfaces. As for the logs, I'm afraid they got lost when I misconfigured the whole thing when trying a different approach in bridging together LAN and DMZ to have a more transparent firewall setting between the two. At some point I managed to completely lock myself out in doing so. Going back to defaults via serial console dind't help either, so I guess I'll flash that CF card again, and try once more, adding extra logging as you suggested.

I resolved this issue! There are a problem in the customer's LAN settings. Now it's all ok. My working configuration is based on 1:1 NAT between the Aethra and a public IP on the WAN. I also add a rule with all allowed in both directions (this is not a major issue, because the Aethra is normally turned off). With this setting the h323 connections works fine

I don't think a NAT 1:1 solution is the best option here. This will NAT your Global IP to one of your internal. Thereby all of your internal ports will be exposed to the internet. So the firewall on your webserver also needs to be strong. But since this host may not only have port 80 open, it could be that port 22 or 3389 also is available to the public. I'm running PfSense for 5 months now and had some trouble regarding NAT in the beginning. If you are able, also install PfSense as a VM on your desktop/laptop. This way you can simulate connecting from WAN or LAN. Do port scans and test your security that way. If it works on your VM, you can use it on your "production system". Hope this helps..

Yesterday while the Internet was running really slow for everyone… I was watching the realtime traffic log, seeing huge intermittent spikes for individual student machines. These spikes last only a few seconds but each spike nails the connection to the wall at or near 100% bandwidth (23 megabit). None of this is picked up by my Cacti SNMP even with it set to 1 minute polling, or the ISP SNMP logger with 5 minute polling. [image: 100824621m.png] [image: 10081641505m.png] [image: 10089319m.png] [image: 1008911724m.png] [image: 10085019m.png] [image: 10084718m.png] [image: 1008251643m.png] Turns out nearly all of these student machines were running some music service I've never heard of called Spotify, plus also the Apple Mobile Device service running at full tilt. So, as a test, today I have enabled the Packet Shaper in pfSense. Any p2p and unclassified traffic will be throttled to 5% of our total bandwidth. That is still rather generous I think… 5% of 23 meg is 1.15 meg. Oh, and we also declared that no student may use headphones in class that does not require them, or listen to streaming music or watch streaming music videos in any class. Doing so will result in disciplinary action. Today's bandwidth has been... a bit less... though this needs more time to see what happens. [image: lesstoday1wkbgif.png] (Night of April 2nd I was downloading a service pack on 20 machines at once. I had no problems maxing it out, and the Internet still worked, but slow..)

I am glad that you were able to prove to them that the issue was theirs. Routed is some of the easiest to troubleshoot since there is no nat involved. It is usually some to do with something not using pfSense as the default gateway. This causes a split route and breaks the completed route. Or, it is firewall rule being incorrectly formed. Trace route will help the most here.

Have you checked your state table to see if it's filling up too quickly?

@SysIT: i do have Block private networks Block bogon networks enabled on the LAN.. Enabled on the LAN, you say? Not WAN?

Thank you for your response. It is really appreciated. You have stated what I actually suspected about ROUTER B in that it would need to know about the LAN subnets of ROUTER A & C which it doesn't have at this time. ROUTER B is actually a PE router on an MPLS network. Somebody (I don't know who) supplied ROUTER A & C internal address to the MPLS network provider who then entered this into ROUTER B's routing table. Hence why ROUTER A can ping ROUTER C and vice versa because ROUTER B has those in it's routing table. We don't have any direct control over this although we can phone them up and they will adjust it. Anyway, what was once our internal router address on ROUTER A (10.1.1.1/24) has now become the ROUTERS external address with 10.1.1.1/32 and the same has happened with ROUTER C. Ultimately, we need ROUTER A's old LAN (10.1.1.0/24) to be able to talk to ROUTER C's old LAN (10.1.2.0/24) but the only way I could get both routers to connect to the MPLS network was to specify the internal address of the routers as the external address of the router and then specify a new internal subnet (192.168../24) What I would prefer to do is to leave the internal LAN's (10.1.*.0/24) as they were and allow them to communicate with each other. However, I'm unsure as to what to ask the MPLS network provider to do with their PE router to make this work as they will charge us to adjust this. I was thinking that if I asked them to adjust the routing table in their PE Router from 10.1.1.1/32 (our ROUTER A) to 10.1.1.1/24 that all traffic destined for 10.1.1.0/24 would flow to that. eg from ROUTER A (10.1.1.1/24) > ping 10.1.2.24 (client on ROUTER C's network) that it would go to ROUTER B which would then forward it onto ROUTER C (10.1.2.1/24) and then ROUTER C would route it to the client 10.1.2.24 Or am I barking up the wrong tree here? I apologise if I sound stupid here but this sort of routing is all new to me as we've previously used NAT & IPSEC

Another note: On 2.1, there is an ICMP choice in the protocol list for port forwards.

On the edit screen, it has this text: The 1:1 mapping will only be used for connections to or from the specified destination. Hint: this is usually 'any'. If I understand that correctly, it means that if you want 1:1 NAT to work only for a particular Internet address or subnet, you could do that here.  I can't think of why you would want that, but it would basically limit who would be allowed to use this NAT.

Are you running different subnets on VLANs or on different physical network interfaces?? The gateway for the PCs should be the pfSense IP address assigned on that interface (either virtual or physical)

OK, thanks for this. The setup brand new, different IF's and IP's:  WAN (wan)              -> vr1        -> 192.168.179.20/GW:192.168.179.1  LAN (lan)                 -> vr0        -> 10.0.0.5/GW:10.0.0.1  DMZ (opt1)              -> vr2        -> 192.168.2.1 The https server has 192.168.2.2/24 When I'm trying to get https page from 192.168.172.xx client host the same problem. Lot of syn's but nothing else. Automatic NAT, no manual NAT rules this time. See the rules: [image: nat.jpg] [image: nat.jpg_thumb] [image: wan.jpg] [image: wan.jpg_thumb] [image: dmz.jpg] [image: dmz.jpg_thumb]

Hi stan You could change your internal dns to point to the external IP that publishes the site through squid. That way your internal clients will access the site through squid just as external users do. If you NAT forward to the loopback adapter and have squid listening on that, i guess you could enable NAT reflection to allow this to work Keyser