Hi Brian,

My apologies for resurrecting an old thread, but if you're still around I'm curious as to what you wound up using for a Session Border Controller.

Thanks,

Phil

its not helping. tryed to kill all active states then apply nat rules but i have the same problem.

the truth is my box is not a fresh install, first i have the 2.0 version, then i started to upgrade to 2.1 beta versions, but then i rollback to the 2.0.1 stable. probably this is what cause this issue. i dont know

No problem dude - what I'm here for.  Common issue really, I would suggest you look to moving to bridge mode on the device from your isp, or get a new device that can be set as just true modem.

Double nat is not a ideal setup, sure it can work - but it clearly is not ideal to be sure.

Have fun with pfsense - your going to love it!

Looks like you have multiple issues. One you have several IP conflicts there from the "ARP moved" logs, switching between Ubiquiti and Apple MACs, between Ubiquiti and HTC MACs, and others.

The increased CPU usage is just a symptom of some other problem is my guess. What do your traffic graphs look like at those times? Rebooting can temporarily clear up so many problems internal to your network that it's not necessarily indicative of a firewall problem. An IP conflict on your gateway IP would be cleared up by a reboot temporarily, amongst other possible issues. What a packet capture on the parent interface of the VLANs shows when it isn't working would be telling.

Upstream ARP cache. The IP won't move back until it's cleared or times out, which takes several hours by default on every router. 4 hours on Cisco, similar on others.

There is no gateway IP from the ISP with a routed subnet, your provider routes it to one of your existing IPs, so you don't waste IPs with an entirely unnecessary gateway IP, and you have more flexibility in how you can use the additional subnet.

Check Diagnostics>States for a better picture (or pfctl -ss). That's almost certainly a host infected with some kind of DDoS bot. Anything you allow to open massive numbers of new connections is going to have an impact on your firewall regardless of what it is. Limiting states per host, and as tight as possible of egress filtering, helps keep such things in check when they happen.

Do a search in these forums and find several good write ups on setting up bridges.
I made it as short as I could … you could to the first subnet as a /30 but you would still need the second to be a /25 ... not that you could not make quite a few networks out of 159.1 - 128 ( the first /25 broken into multiple subnets and used for different things).

Well, this is because NAT reflection is off. Personally, I would use split DNS so that server 1 would get the internal address instead of the external and having to rely on the reflection. You want to make sure you are testing from out side to make sure any rules are working from WAN to LAN.

by default all ports would be open outbound, you prob need to setup a port forward.  What ports does your dreambox use?  I believe this can be changed.

So you have 2 dreamboxes?  Why are you listing 2 different IPs?

Once your sure what port you need to forward - then following
http://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense%3F

Yes please start a new thread and be sure to include details.

I'd say set up you FTP server to go out only on one WAN (outbound rule), that should fix the problem.

@hunters:

Another thing is that i read a lot aroud about an FTP Helper to be enabled/disabled on the interfaces but i don't found anything on PFSense 2.0.1 about it. May be it have been removed or somethink like this. Can you give me any help about the issue?

I think this is now here:
System: Advanced: System Tunables : debug.pfftpproxy

Can you elaborate on your question? I am not sure what information you are looking for.

Awesome! Thanks for the info… Will ask them....

Thank you guys for everything!!!

problem solved....

OK

Feeling quite stupid! I have enabled NAT reflection and all seems to work, perhaps it always did for traffic arriving on the WAN!!

Thanks for your help,

Ernie

You can't effectively do what you're trying to do, because of the way pf works.

NAT happens before filtering, so the 1:1 for port 80 and the port forward for 30123 look identical to the firewall rules, so they are both allowed.

The correct thing to do in this case would be, as johnpoz said, to make the service bind to port 30123 and not rely on a NAT redirect.

Either that, or ditch the 1:1 NAT and just use port forwards.

Actually I take that back - there may be another way:
Add a port forward for 80->80 like you have for 30123->80, but on the 80->80 rule, check "No RDR (NOT)".

CARP works just fine as well. You just have to make sure that the CIDR is in the same subnet /29 in this case. Course, this is the same for IP Alias as well.
CARP will let you setup clustering firewalls. If you know you don't need this for this use, then I would use IP Alias.

ok, I found that.

trick is in the NAT reflection settings.

Working config is to enable NAT reflection (either in system advanced settings, either in rule-specific settings) AND to enable tick "Automatically create outbound NAT rules…" in system advanced settings.
With this adjustment I see following packets in tcpdump (actually this is one ping packet):

        13:59:07.684110 IP 192.168.0.68 > 1.1.0.1: ICMP echo request, id 512, seq 45843, length 40         13:59:07.684172 IP 192.168.0.254 > 192.168.0.10: ICMP echo request, id 29846, seq 45843, length 40         13:59:07.684299 IP 192.168.0.10 > 192.168.0.254: ICMP echo reply, id 29846, seq 45843, length 40         13:59:07.684313 IP 1.1.0.1 > 192.168.0.68: ICMP echo reply, id 512, seq 45843, length 40

and without a second tick i get:

        14:00:37.735766 IP 192.168.0.68 > 1.1.0.1: ICMP echo request, id 512, seq 46099, length 40         14:00:37.735820 IP 192.168.0.68 > 192.168.0.10: ICMP echo request, id 512, seq 46099, length 40

mailserver then replies directly to my pc in local network, but it doesn't expect this echo reply…