This is closed.  It is routing issue.  Learn't about my old friend TCPdump again.  :)

For what it's worth, I have inbound SIP calls working now, but with a new VOIP provider, in this case Babytel.ca  Using manual outbound NAT did not work as it broke Squid web access.

For google search purposes, we're using a Talkswitch VOIP enabled PBX behind PFSENSE, and Babytel is configured on the unit to handle long distance calls (auto call routing).  Once I made the switch to this provider, everything works.  Automatic NAT is enabled, however port forwards for SIP signalling and audio are set up on PFSENSE 2.0.1

Inbound calls (via VOIP), remote extensions etc. all work properly now.  Previous provider was iristel.ca , and the switch to babytel.ca, solved the previous issues of SIP invites not being recieved through the router due to NATing I suspect of the packets.  For what it's worth, babytel's online account configuration as well as iphone app (softphone) all performed flawlessly in testing.  Quite impressed with their feature set/pricing etc.

@cmb:

Ah, yeah in that particular case, you need the associated firewall rule because it has reply-to set to route the traffic back out the correct path. Just "pass" on the rdr doesn't have proper return routing except on the interface where the default gateway resides.

Thank you very much for your reply and clarification, was wondering in fact if the route back was the issue, now I know. Am really impressed with the features and overall ease of use of the product. Keep up the good work everyone.

@johnpoz:

yeah if your going to want to have traffic from this server come from one of your specific IPs.. Does it send mail?  Then sure 1:1 would do that.  But as far as 25 to it, that has nothing to do with a 1:1 – 1:1 would be for outbound traffic from 1 of your IPs when coming from that inside box.  Or sending ALL traffic from specific IP to specific inside IP, etc.

Not really required to run a mail server to be honest..  As long as mail is sent to one of your public IPs and your forward to your mail server that would work for inbound.  And for outbound, as long as your IP is not listed as dynamic and you have PTR for it - it should be able to send email, no reason to specifically lock it down to 1 of your public IPs to be honest.

Well everything is working now since I deleted the 1:1 mapping. I just don't know why everything came to a halt suddenly when nothing on my end was changed. I had the 1:1 mapping for working for months.

Thank you for your input.

Enjoy the weekend.

@It would be more secure to just allow all ports, or at least the high ports to the ip of the ftp server they need access to.

You are so RIGHT…I will take your advice as it relates to the above

Thanks Much again

Create the rdr rule and an outbound Nat to force firewall ip onde webserver communication.

Can you send the output of

pfctl -sa | fgrep 5060

?

i did it,but it doesnt work.:-(

@nahid:

lankanatha,

WANIF should be the IP address of your web server as you are going to port forward the web traffic to send them to ur local web server.

Try to follow this steps:

First create an alias (for example BlaWebSeverExternal) with the External IP address of your Web Address Create another alias with the Internal IP address (For example BlaWebSeverInternal) of your Web Address Then create a port forward that will forward the web traffic on HTTP port from BlaWebSeverExternal to BlaWebSeverInternal If it works for HTTP port (80) then add another rule in the same that will forward the traffic on 81 and 82 port as well.

Thanks!! That was the solution!

OK, I ordered the pfSense book, but it appears to be backordered on amazon, so I guess I'll ask a few more questions. I'm a bit confused about having 2 routers in series. Do I have it go prod network <-> (10.0/9 / 10.128/9) <-> (10.128/9 / 10.0/9) <-> test network? I'm having a hard time picturing how that would work.

@bboardma:

Any idea about number of users supported on NAT? I realize that hardware is a factor, but I'm wondering if there are other limits, say the number of source ports on the public side, or ????

My post right above yours explains that. I've seen multiple thousands on a single public IP, and in most use cases doing 10,000+ is a non-issue.

If you are accessing it via a DNS name, it should be using the external address. For this to work in pfSense, you need to turn on NAT reflection or use split horizon DNS. I would use split horizon DNS (a secondary DNS server or use of DNS forwarder in pfSense) to hand out internal addresses. Then you only need the rules in OPT1 to allow the traffic.

romp,

Pfsense does not hates you, it's just doing what you configured :)

See what is happening:
workstation 172.24.150.20 asks 172.24.200.254 a smtp connection
172.24.200.254 forward this request to 172.24.200.1 pool member
172.24.200.1 accepts the request and answer ok to 172.24.150.20.
172.24.150.20 rejects the message as it asked 172.24.200.254 for a connection.

Forcing source ip to 172.24.200.254 while talking to 172.24.200.1-4 using an outbound nat rule will fix this communication issue.
You may need to change outbound nat to manual before applying the rule.

att,
Marcello Coutinho

@nahid:

There is problem with SMTP authentication when I want to send email to my network. Is there any pass rule where I can authenticate for my sesric.org emails.

Id did not included authentication features to this package yet but you can paste these configs on custom field at postfix gui.

As this is not anymore a nat question, use this topic for postfix questions, there are some auth config samples post by forum users there.

http://forum.pfsense.org/index.php/topic,40622.0.html

@Supermule:

So you say NAT reflection is good or bad??

Really???  Your not serious are you???

Lets look at it this way, do you like your router to do extra work that it does not have to – then sure use nat reflection.

Do you like it when you need UDP to between your box and your client, and it does not work -- then sure use nat reflection.

Do you like to send packets out the internet for to resolve a name that is right there on your own network?  Sure then use nat reflection ;)