• NAT on dual WAN

    Locked
    9
    0 Votes
    9 Posts
    7k Views
    dotdashD

    Yeah, you wouldn't need the port-forward if you didn't want to make any services on the box available via the outside. The gateway and outbound public would be handled via the firewall/NAT rules.

  • IP NAT address pool

    Locked
    2
    0 Votes
    2 Posts
    2k Views
    dotdashD

    I haven't tried this myself, but I think that you can define VIPs for your publics, then select 'any' for the translate address in the outbound nat. Pf will allow using a table with various addresses for NAT (if you only wanted to use some of your vips), but I don't know of a way to configure that in the gui.

  • Virtual IPs having emails rejected.

    Locked
    8
    0 Votes
    8 Posts
    3k Views
    C

    @sullrich:

    Use advanced outbound NAT to force the outgoing traffic from the internal IP to the correct CARP address.

    Unless you're using 1:1 NAT, in which case this should be done automatically.

  • 0 Votes
    5 Posts
    2k Views
    C

    I mean a firewall to do IPsec and another to do NAT, both at the same site. It would be a messy complicated setup (and I'm not totally sure it would be possible).

  • Nat and Filtered Bridge possible?

    Locked
    4
    0 Votes
    4 Posts
    2k Views
    D

    Filtered Bridge = enabled, pass all
    Traffic shaper = on
    Outbound NAT = on

    Rule NAT

    LAN    10.62.0.0/24  *  * 25  *  *  NO

    If i send Mail
    1 .- one time no connection, but in quque shown qmailDown activity and
    Filter log

    Jun 14 22:24:13 router pf: 3\. 446895 rule 223.qmailDown.4/0(match): pass in on rl0: 10.62.0.30.3420 > 194.67.23.111.25: S 613257647:613257647(0) win 65535

    Try and try new:
    2 .-over time success send, but activity in def queue
    ???
    Any idea?

  • LAN IP INSTEAD OF SOURCE

    Locked
    3
    0 Votes
    3 Posts
    2k Views
    R

    where would I go to find the FTP proxy thats enabled?  why would this be a normal setup I would think you would want to tell where your FTP users are connecting from. :)  Thanks for your help.

    -edit I found it finally :)  Thanks for the help it show the correct IP now.

  • FTP server on port other than 21

    Locked
    1
    0 Votes
    1 Posts
    2k Views
    No one has replied
  • Static route and NAT pfsense1.2

    Locked
    1
    0 Votes
    1 Posts
    2k Views
    No one has replied
  • NAT IP Protocol 4, 93, 94 ?

    Locked
    4
    0 Votes
    4 Posts
    6k Views
    A

    I forgot to mention the server in the DMZ does have a secondary IP address within the 44 domain on the outer interface 44.8.0.115 which has a internal link to a JNOS application with an IP of 44.8.0.32 via tun0.

    So what I was trying to accomplish was linking 44.4.4.4/32 (which resides in the inet) using IPIP tunnel through the pfSense firewall to the server within the DMZ that has a 172.16.1.12/24 and 44.8.0.115/24 IP address on the outer interface and in turn pass it on too the 44.8.0.32/24 application over the tun0 internal connection.

    The IPIP tunnel works fine as initiated from the server in the DMZ to the remote gateway. The remote gateway can not initiate a return tunnel as I need to allow IP protocol 4 in from that server all the way through the pfSense firewall to the DMZ server.

    The outer router/firewall can forward IP protocols as required.

  • NAT / Forward ICMP

    Locked
    2
    0 Votes
    2 Posts
    4k Views
    C

    can't NAT ICMP unless you're doing 1:1.

  • Terrible "Send" quality on VOIP Softphones…but ATA's work fine?

    Locked
    10
    0 Votes
    10 Posts
    4k Views
    O

    Will be upgrading as soon as its available in our area. Have been promised "2nd Qtr 2007" for about a year now, so hopefully they live up to their promise.

  • 1:1 NAT not working in outbound direction

    Locked
    17
    0 Votes
    17 Posts
    9k Views
    S

    Thanks!  And for the record you have a somewhat complicated network :)

  • Is there a way to block individual LAN IP's from accessing the WAN?

    Locked
    7
    0 Votes
    7 Posts
    4k Views
    O

    @tedced:

    Blocking LAN computers from accessing other LAN computer can't really be done effectively at the router. Communications between PCs on the LAN are done directly, not through the router.

    You could do it from a managed switch by blocking the individual port.
    Or just unplug the PC from the switch.
    Or have a short dhcp lease time and prevent the PC from obtaining an IP. I wouldn't go shorter then a few hours though, especially if you have a lot of boxes.

    Using the alias to block outside communications is a good idea. The rule on the LAN tab will catch most traffic, to be sure  you could also create a rule on the WAN tab to block communications with the destination of the blacklist group.

    So what you and BugeyeD are saying is in addition to the rule BugeyeD setout above for the LAN tab…create the reciprocal rule in the WAN tab to block both sides of the "conversation"?

    Ill do that now.

    Also, point taken about the blocking LAN traffic thing. Its not a major concern, as most of the time i just want the WAN access removed, but want LAN to remain so the internal network can carry on as per normal. And i suppose another way to do the LAN thing, is to give every comp a static DHCP listing, then select "disallow unknown" or whatever the option is called, from obtaining a LAN IP, and just flush the states so the target computers are off the LAN as well. Though that will be a far more rare occurrence than the Blacklist Alias.

    Thanks guys.

  • RE: port forwards

    Locked
    5
    0 Votes
    5 Posts
    3k Views
    R

    If the box MUST use a gateway ip of a device other than the pfsense box, go and redirect the traffic via another program to your machine.  Examples are as follows:

    If you have another Windows based computer there in your setup, and it uses the same gateway as your 192.168.20.2 computer (not the pfsense), install a port mapping program like PortMapper from AnalogX onto the computer.  It can be found at: http://www.analogx.com/contents/download/network/pmapper.htm

    Once installed, your must setup a port-forward rule on your pfsense to this 'temp' computer (say port 80), then setup PortMapper to forward port 80 over onto the 192.168.20.2 computer.

    I use this method all the time for when I need to access ports on computer not using pfsense as my main router as it uses another router/ISP to get out to the Internet.

    If you only have non-based Windows computers in your setup, I do think there are other redirect/port-mapping programs out there that can function the same as PortMapper.

    Good luck!

  • NAT to FTP long time

    Locked
    3
    0 Votes
    3 Posts
    2k Views
    S

    http://wiki.pfsense.com/wikka.php?wakka=FTPTroubleShooting

  • Specific NAT question.

    Locked
    2
    0 Votes
    2 Posts
    2k Views
    S

    Please do not cross post.  This was sent to the mailing list as well!

  • Help with natting – i think

    Locked
    3
    0 Votes
    3 Posts
    2k Views
    C

    What version?

  • Adv. Outbound NAT with Dual WAN (No Loadbalance) and Multiple VLAN?

    Locked
    8
    0 Votes
    8 Posts
    4k Views
    T

    DNS is definitely the way to go, just get you name to resolve to WAN2 and then route the necessary port in.

  • Intranet can't connect smtp from Intranet

    Locked
    2
    0 Votes
    2 Posts
    2k Views
    C

    Hi akong,

    Have you the appropriate rules in place allowing your LAN (Client Workstation) to access your OPT interface (Mailserver)?

    Are you connecting via SMTP or POP or IMAP or RPC/HTTPS..?

    Dependant on the protocol being used, you would need to allow traffic to different ports on OPT1.

    If this makes sense?

    Cheers.

  • Nat issue with Opt1

    Locked
    3
    0 Votes
    3 Posts
    3k Views
    3

    Thanks DotDash.

    The problem appears to have been that when I created my virtual ip's I used WAN instead of OPT1. It works great now.

    Thanks again for your quick response.

    Andy

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.