Yes,it's 3 physical interfaces. As for the logs, I'm afraid they got lost when I misconfigured the whole thing when
trying a different approach in bridging together LAN and DMZ to have a more transparent firewall setting between the two.
At some point I managed to completely lock myself out in doing so. Going back to defaults via serial console dind't
help either, so I guess I'll flash that CF card again, and try once more, adding extra logging as you suggested.

I resolved this issue!

There are a problem in the customer's LAN settings. Now it's all ok.

My working configuration is based on 1:1 NAT between the Aethra and a public IP on the WAN. I also add a rule with all allowed in both directions (this is not a major issue, because the Aethra is normally turned off).

With this setting the h323 connections works fine

I don't think a NAT 1:1 solution is the best option here. This will NAT your Global IP to one of your internal. Thereby all of your internal ports will be exposed to the internet.
So the firewall on your webserver also needs to be strong. But since this host may not only have port 80 open, it could be that port 22 or 3389 also is available to the public.

I'm running PfSense for 5 months now and had some trouble regarding NAT in the beginning.
If you are able, also install PfSense as a VM on your desktop/laptop. This way you can simulate connecting from WAN or LAN.

Do port scans and test your security that way. If it works on your VM, you can use it on your "production system".

Hope this helps..

Yesterday while the Internet was running really slow for everyone…

I was watching the realtime traffic log, seeing huge intermittent spikes for individual student machines. These spikes last only a few seconds but each spike nails the connection to the wall at or near 100% bandwidth (23 megabit).

None of this is picked up by my Cacti SNMP even with it set to 1 minute polling, or the ISP SNMP logger with 5 minute polling.

Turns out nearly all of these student machines were running some music service I've never heard of called Spotify, plus also the Apple Mobile Device service running at full tilt.

So, as a test, today I have enabled the Packet Shaper in pfSense. Any p2p and unclassified traffic will be throttled to 5% of our total bandwidth. That is still rather generous I think… 5% of 23 meg is 1.15 meg.

Oh, and we also declared that no student may use headphones in class that does not require them, or listen to streaming music or watch streaming music videos in any class. Doing so will result in disciplinary action.

Today's bandwidth has been... a bit less... though this needs more time to see what happens.

(Night of April 2nd I was downloading a service pack on 20 machines at once. I had no problems maxing it out, and the Internet still worked, but slow..)

I am glad that you were able to prove to them that the issue was theirs. Routed is some of the easiest to troubleshoot since there is no nat involved. It is usually some to do with something not using pfSense as the default gateway. This causes a split route and breaks the completed route. Or, it is firewall rule being incorrectly formed. Trace route will help the most here.

Have you checked your state table to see if it's filling up too quickly?

@SysIT:

i do have

Block private networks

Block bogon networks

enabled on the LAN..

Enabled on the LAN, you say? Not WAN?

Thank you for your response. It is really appreciated.
You have stated what I actually suspected about ROUTER B in that it would need to know about the LAN subnets of ROUTER A & C which it doesn't have at this time.

ROUTER B is actually a PE router on an MPLS network. Somebody (I don't know who) supplied ROUTER A & C internal address to the MPLS network provider who then entered this into ROUTER B's routing table.
Hence why ROUTER A can ping ROUTER C and vice versa because ROUTER B has those in it's routing table.
We don't have any direct control over this although we can phone them up and they will adjust it.

Anyway, what was once our internal router address on ROUTER A (10.1.1.1/24) has now become the ROUTERS external address with 10.1.1.1/32 and the same has happened with ROUTER C.
Ultimately, we need ROUTER A's old LAN (10.1.1.0/24) to be able to talk to ROUTER C's old LAN (10.1.2.0/24) but the only way I could get both routers to connect to the MPLS network was to specify the internal address of the routers as the external address of the router and then specify a new internal subnet (192.168../24)

What I would prefer to do is to leave the internal LAN's (10.1.*.0/24) as they were and allow them to communicate with each other.
However, I'm unsure as to what to ask the MPLS network provider to do with their PE router to make this work as they will charge us to adjust this.

I was thinking that if I asked them to adjust the routing table in their PE Router from 10.1.1.1/32 (our ROUTER A) to 10.1.1.1/24 that all traffic destined for 10.1.1.0/24 would flow to that.
eg from ROUTER A (10.1.1.1/24) > ping 10.1.2.24 (client on ROUTER C's network) that it would go to ROUTER B which would then forward it onto ROUTER C (10.1.2.1/24) and then ROUTER C would route it to the client 10.1.2.24

Or am I barking up the wrong tree here? I apologise if I sound stupid here but this sort of routing is all new to me as we've previously used NAT & IPSEC

Another note:

On 2.1, there is an ICMP choice in the protocol list for port forwards.

On the edit screen, it has this text:

The 1:1 mapping will only be used for connections to or from the specified destination.
Hint: this is usually 'any'.

If I understand that correctly, it means that if you want 1:1 NAT to work only for a particular Internet address or subnet, you could do that here.  I can't think of why you would want that, but it would basically limit who would be allowed to use this NAT.

Are you running different subnets on VLANs or on different physical network interfaces?? The gateway for the PCs should be the pfSense IP address assigned on that interface (either virtual or physical)

OK, thanks for this. The setup brand new, different IF's and IP's:
 WAN (wan)              -> vr1        -> 192.168.179.20/GW:192.168.179.1
 LAN (lan)                 -> vr0        -> 10.0.0.5/GW:10.0.0.1
 DMZ (opt1)              -> vr2        -> 192.168.2.1
The https server has 192.168.2.2/24
When I'm trying to get https page from 192.168.172.xx client host the same problem. Lot of syn's but nothing else. Automatic NAT, no manual NAT rules this time. See the rules:

nat.jpg
nat.jpg_thumb
wan.jpg
wan.jpg_thumb
dmz.jpg
dmz.jpg_thumb

Hi stan

You could change your internal dns to point to the external IP that publishes the site through squid.
That way your internal clients will access the site through squid just as external users do.

If you NAT forward to the loopback adapter and have squid listening on that, i guess you could enable NAT reflection to allow this to work

Keyser

Not sure what changed.  I just ran through the Setup Wizard, entering all the same stuff that was already there.  And then it started working.  Maybe it just needed a reboot?

"Accessing the site from a private 192.168.1.x network behind PF to a 192.168.1.x address."

then pfsense has nothing to do with that traffic.  You only talk to pfsense if your wanting OFF the 192.168.1.x network.

If you don't have SSL cert, then no your webserver can not serve up SSL.  If you want to access SSL from outside pfsense, then you would need to forward 443.

But again if your just talking between 2 clients on your same 192.168.1.x network - then pfsense is not involved in that conversation.  Unless you were bridging to interfaces on pfsense, and one machine was connected to 1 and other connected to other interfaces on the pfsense bridge.  Other than sort of setup - no pfsense is not involved in local network traffic.

Yes, it was firewall, not NAT!

cheers!

No your IP address would not be changing if you were using squid on your pfsense..  You only have the 1 IP address don't you!  Now your source port would change as you created new sessions.

Now they might not of liked the whole proxy thing in the first place - and blocked you since you were using a proxy.  Many people might be trying to circumvent/hide using a proxy.

The only way your IP could of changed would of been if you had your squid chained so it was using a different proxy upstream from you and sending your traffic there.  Then you would of had your IP, and then that IP.

@Tweeteh:

I'm trying to open 3 ports for my cod4 server. They are 20800, 20810, 28960. When I go to check if the ports are open on canyouseeme.org, it always says connection timed out.

Try:

Firewall > NAT > Outbound
Source: 10.0.0.34/32
Destination: ANY

Reset pfsense

Let us know.