Group like servers within subnet boundaries so you can include multiple servers with one subnet entry.

Define and use aliases for the source addresses.

You need to assign an interface to the OpenVPN instance at Site B and make sure the rules passing traffic into that OpenVPN DO NOT match anything on the OpenVPN tab but do match on the assigned interface tab. That will flag the states with reply-to so reply traffic will be sent back through OpenVPN instead of according to the routing table.

Or just shorten the TTL on the A record in DNS to something like 5 minutes a while ahead of your move (how long depends on what your default TTL is), shut off the server, change the DNS, move the server, and by the time you get there the new address will have propagated everywhere.

Then just set the TTL back to something reasonable and you're done.

@tomli:

Hi all,

My pfsnese have one Wan IP: 192.168.211.1/24) and one Lan IP 192.168.1.1/24. I need to install external package for my pfsense. Therefore I need to configure my Wan to use my Public IP pool address, for example:

OutBound NAT

You don't need to configure NAT to be able to install external packages. Having correct IP configuration on WAN interface is more than enough for underlying software to connect to package repo - it will just use your WAN interface to do the job.
NAT is needed only for your client machines behind pfSense, ie on LAN interface.

1st: are sure you will really receive incoming packets on your VPN interface? You should have real IP on your VPN interface to accomplish this.
2nd: add incoming NAT rule for external access, check FROM SOME OTHER LOCATION and watch in States for connections to your internal server. Connection would not work now, but you should see connection attempts to your internal server.
3rd: go to advanced outbound NAT, create a topmost rule:
interface: OpenVPN
source: any
port: any
destination: your internal server IP (type: network, your IP, network /32)
port: specific port or any
Translation address: Other subnet and type in your LAN address in network format with /32

Your pfSense-01 does not know nothing about 192.168.100/24 network.
Add a static route to that network with gateway pointing to pfSense-02, make sure you add rules on pfsense-02 on WAN interface permitting access from WAN network to LAN network/host/s.

Hi,

I was working with SonicWALL in the same network layout.  Double NAT, yes, maybe but the first one do nothing.  It's the cheap mandatory router from Bell in Canada, province of Quebec.  We have to keep it for 'Fiber TV' (and their IP phone but I don't use it due to the cost)

But the good new.. I kept the instruction by doing regular firewall rule like I did before without result… but this time, I didn't use Aliases.  I put direct IP and Ports into the Rule.  I also cleared the State table because it look to be a must when changing rules/NAT.

It work fine and pfSense keep his place for now!  Compared to SonicWALL, the interface is nice to work with.  Aliases is a bit painful to use and we don't have the grouping option.  Protocol is not in Aliases like SonicWALL…  Like I did, a group for PS3 that contain all TCP, UDP ports and we set a rule for PS3 object group instead using multiple Rule for a single items if you understand what I mean.\

Thanks a lot for your help.

That's something you'll have to ask in a forum for that ASUS router. pfSense can use VPNs and DDNS when it's behind NAT, if ASUS can't, it's a problem with the ASUS router.

Perhaps you can replace the ASUS firmware with Tomato/Shibby, DD-WRT, or something else with better capabilities.

@helgew:

Has anyone found a solution yet? Same problem here.

OK, answering my own question here… with a gateway named 'VPN_Gateway' the following works for me:

# grab our new IP address, edit the config file, and reload the filters ip=`$ifconfig $iface | grep ‘inet ‘ | awk ‘{ print $2 }’` xml ed -L -u ‘//gateway_item[name=”VPN_Gateway”]/gateway’ -v $ip /cf/conf/config.xml /etc/rc.filter_configure

TLDR: Use NAT rules to forward all ports, or less, to your XB1 in Firewall -> NAT -> Port Forward tab. Be careful of the order if you have other NAT rules and UPnP.

It's a double edged sword really. No network gear exists that is performing NAT "magic" that really guarantees open nats without a sacrifice elsewhere.

What your netgear is really doing is forwarding all ports to your xb1, think like the old DMZ IP setting.

The way to do the same thing in pfSense is to do just that, forward all your ports via NAT rules to that one xb1 IP. Realistically, it only needs to be 1024-65535.
There are a few drawbacks though.

1. Lets say you do this, and forward all the ports. then you need to forward a port for a teamspeak server or something on your network. You must put that teamspeak rule above the "all" rule for your xbox. This also means that if you happen to have a game that needs that teamspeak port by random chance to be forwarded to your xbox, it won't work. It will be forwarding game traffic to your teamspeak server.

2. I believe, and please correct me pfSense guru's if I'm wrong, but the UPnP that some services need on your network will be overridden by the all port forwards NAT rule as I believe UPnP is processed after explicit NAT rules. For example, Skype uses UPnP, if every port for both TCP and UDP is forwarding to your XB1, then skype may not work.

pfSense Guru's, I don't know if this is correct, but will pfSense skip over a NAT rule if the IP it is to forward to is not in its ARP table? i.e. machine is turned off.

@leonilotrigo:

Please help, i have a problem with my pfsense PC router.
4 WAN
1 WAN

3WAN is online, there is 1WAN is offline, but i try testing direct to their gateway there is an internet. In the dashboard shows offline..
Please help to fix this.. thank you.

If you're in need of help you should probably ask questions instead of just writing words. You have 1 pfsense against 4 public WAN?

The wan looks down but does route? the packets drop at what point?

While talking with someone else they mentioned a GRE tunnel. To my knowledge a GRE needs a L2 device at either end. Since this is OpenVPN on a VLAN GRE wouldn't work.. would it? I mean because I can't assign a VLAN tag and a GRE tunnel to the same interface - correct?  :-\

Do whatever makes you happy.. Even if you had 100 companies, I would think a simple list with the company names would be easier to click then editing a xml file.  But whatever floats your boat..

Shit a 1000 companies even..  Why would you not do netblocks vs individual IPs, etc.

Your Default GW is WAN.

Try switching the gateway under the advanced button in a rule to move traffic from A > B over Gateway: Red3. If it's sitting at default then I think it's just going to push everything over that, unless you set the RED3 as default so you would only have to change the routing rule for machines that actually need to traverse the WAN GW.

@geminux:

But when I want to access the same service from internal (lan), it no longer works. I guess that since connection come through LAN interface, it does not go through the port forwarding…

That's the point.

Use an internal DNS and set up a host override.
You may use DNS Resolver or DNS forwarder installed on pfSense found in Services menu.

You may also activate NAT reflection + proxy in the NAT rule to resolve this.

"or internally ,"

If you can not even dig to your NS when your on the same network..  How exactly do you think it would work externally?

So your NS is on 192.168.1.12/24 - get it working working so you can query it from 192.168.1.0/24 then worry about externally.

Running your own NS on the public internet is normally a BAD idea.. Unless you fully and completely understand all of the implications that brings!  Which since your here asking why its not working - this seems to not be the case.

You show that your ip is suppose to be .12, then why is your netstat on the same NS box showing its listening on .36?

Netstat output from below:

tcp 0 0 192.168.1.36:domain . LISTEN 1156/named
udp 0 0 192.168.1.36:domain . 1156/named

A picture is worth a thousand words. The attached picture shows the different packet-flows of the two methods.

However, pure NAT will succeed if the destination host is in another network segment than the requesting one and pfSense is the default gateway in both.

pfSense_NAT_reflection.png_thumb
pfSense_NAT_reflection.png

we have 8 internet connections with different ISP (two lines of them are of the same ISP), with different speed, some with dynamic IP via PPPOE, some with static IP
we also have a /29 subnet.. one of those IP I have used on wan interface of pfsense

pfsense has a public IP on it, ie not rf1918 (10.x.x.x, 192.168.x.x, 172.16-31.x.x) on its wan?

yes

And this is the same ISP that your other router is dynamic wan IP?

no