Anything not explicitly allowed is denied, so you shouldn't worry too much. DNS should show closed from the WAN. The DNS forwarder will show DNS open from the LAN side- I don't think it should show open from the WAN, but I'm not 100% sure- I generally point DNS to an internal server instead of running the forwarder…

Ok, so here's my follow up to the issue. Here is the setup:
–-------------------------
(Internal Nodes)-----|48port switch|--------<---------------------- Pfsense box----------------------->--------------|48port switch|-----|External Public IP's--------->

(192.168.2-7)-------|SWITCH|--------------LAN(em2)192.168.1.1--|----------|-82.46.115.82(em0)WAN-------------|SWITCH|-----------(82.46.115.1-255)

I was able to setup the internal interface em2 as 192.168.1.1 and the external interface em0 as 82.46.115.82.

All the private IPs  need to have ssh,http, and https enabled.

Which would be a better approach:

NAT–->1:1---> ProxyARP with -->outbound NAT and all the proper rules that will forward traffic from external to internal interface.

or

NAT-->Portforward using single WAN interface address but different ports.
  a) Can all the internal clients have ssh,http, and https access from a single interface?

Hopefully this helps, let me know if there is anything i can add.

Outbound traffic works.
I tried the same configuration (same IP, etc) with a Netgear WGT624 router and everything including port forwarding worked. I also called my ISP and asked them to check that everything was properly configured on their side. It's really strange this won't work.

http://forum.pfsense.org/index.php/topic,7001.0.html

You cannot do this with pfSense.

I think if you search on the forum there is a thread about this exact same issue.
Someone provided a solution but i dont remember what it was ^^"

There are anchors in the config so you can use those dynamically from the shell, but if you knew how to control pf(4) you already would know about it, right?!

So do not mess with it till you are confortable enough.

Thanks for the help, it is still not working but I think I know what I have to do!

Cheers,
Leon

Hey everyone,

I searched the whole network yesterday one device after anther connected to the patch panel and didn't find any mysterious devices on IP 192.168.1.1.
I don't know…. well it works now so no big problem.

Bye and thanks for the help.

Problem fixed when I used outbound NAT.

Good idea :) use same aliases for firewall and nat, thanks. In this case is better use portforward.

No more secure, but same as PortForward i think. Both is protected over firewall,. Only if fail firewall then can by more security issue use 1:1.

@blak111:

Is there a way to catch all DNS traffic and redirect it to other servers such as the OpenDNS set? I have had several problems with guests having static DNS servers set so they never make it to the captive portal because of the DNS queries timing out.

Hi Kevin,

I'm not familiar with pfSense, but since it looks like m0n0wall fork and using PF, then the answer should be yes.  You have two issues.  One is redirecting the traffic, and the other is making sure your DNS server (or in this case, ours at OpenDNS) will recognize that it's meant for us, and that we know where to send it back.  For the first part, you should be able to use the rdr rules and for the second part you should be able to use the NAT rules.

So just thinking outloud, something like this should work:

First intercept the traffic from your internal interface: rdr on $int_interface inet proto udp from any to any port 53 -> $opendns_ip

(note: you might only be able to do this to one of our IPs, not both, but that's okay, really)

Rewrite the outgoing packets to actually have a destination of 208.67.222.222 nat on $int_interface proto udp from $int_interface:network to any port 53 -> $opendns_ip

This is all just a total guess, but something like this should be possible. :-)  Let us know if you figure out the magic commands.

Thanks.. it worked :D

Ah… When I put on a unic VHID Group on every carp IP everythig was ok... :-)

Becouse i want to disable NAT on router, maybe all port forwarding to pfsense wan interface wont make sense.
If helps:

pfwanint.jpg
pfrouter.jpg_thumb
pfnatfor.jpg_thumb
pfnatfor.jpg
pfnatout.jpg_thumb
pfnatout.jpg
pflanint.jpg_thumb
pflanint.jpg
pfwanint.jpg_thumb
pfrouter.jpg

thanks for reply.

i wait 1.3 release with impatient.

when Server A (192.168.4.250) tries to connect somewhere its "public" ip shows up as 200.200.200.250
However when someone tries to connect to 200.200.200.250 the port forward should route any packets on ONLY port 80 to Server B (192.168.4.240). technically if i were to 1:1 nat when someone connected back to 200.200.200.250 it would get sent to 192.168.4.250 and not to 192.168.4.240 and thats the problem :/

If i understand you correctly you want the VIP 200.200.200.250 to point to LAN IP 192.168.4.240 and the only thing you haven't done so fare is setting up NAT -> Outbound -> Manual Outbound NAT
WAN  192.168.4.240/32  *  *  *  200.200.200.250  *  NO

Well to be honest i find it a bit strange that you have a subnet of 10.0.0.0/8 on your LAN, and at the same time traffic destined for 10.0.0.0/8 should be sent to a gateway.

To me this seems a bit conflicting.

I mean if something is in the same subnet than the interface itself this means you shouldnt have to send it to a gateway because it's directly reachable.

Do you know some possible things to look for that would interfere with this working?

We have dual wan.
We have multiple FTP servers tied to different virtual ips.