I use a lot of PBX in a flash distros and what I have found is if you can setup a rule in NAT for 10000 - 20000 UDP inbound to the IP of your Trixbox and don't setup an inbound NAT rule for for 5060.  Uninstall SIP Prox and restart your pfsense,  make sure your trixbox rtp.conf file is setup to use only ports 10000 - 20000.

I have four sites working like this each with pfSense 2.01 three different VoIP providers and no issues.

I would also setup a NAT outbound rule for your Trixbox to use a static Port as per the below example.

WAN  192.168.0.8/31 * * * * * YES VoIP Server

@sike:

I wanted to believe that NAT will not allow SMB to go through, but this issue has become more important in our network. I have been googling SMB through NAT and it should not be a problem.

Then your googling has lead you astray. It really cannot be done.

The purpose of the operation is to be able to have two VPNs between location A and B simultaneously. Therefore the subnets need to be different. If VPN1 connecting subnet A1 and B1 is down, then the same hosts will be able to connect over VPN2 connecting subnets A2 and B2.

On the LAN interface create a rule above all others that says if from the ip you specified go out gateway WAN2. The you just have to make sure there is outbound NAT, auto or manual. If you are using manual then make sure from that ip or subnet that you have rule to NAT.

Yes, thats how its configured.

And thanks, this will be much appreciated

@imays:

What am I missing?

Maybe firewall rules to allow this traffic.

The RV042 may rewrite IPs within SIP which eliminates the need to properly configure NAT on your PBX. We don't, as that frequently just breaks things (VoIP providers' troubleshooting usually starts with "disable SIP ALGs" because they break things so frequently). That would more likely be with the scenario with the PBX inside the network though.

With the phones inside the network with the PBX outside, the probable area where we differ is rewriting the source port on all traffic that's NATed. Disabling that may fix things in your scenario, though usually it's preferable to leave that alone.
http://doc.pfsense.org/index.php/Static_Port

Fixed! Had to change NAT reflection to enabled. Didn't think I needed it as the incoming route was to the OPT1 interface, maybe because it isn't a true WAN interface under the hood?

Hopefully might be useful as another worked example…

@Supermule:

Ping rule for VLAN??

I tried 'ping xxx.xxx.xxx.xxx'. Sorry, I may misunderstood your question.

What you're attempting works fine with pf, not enough there to tell you why it isn't working in that case.

The destination port range overlaps with an existing entry.
Even though it doesnt!

Im not trying to change the ports I just want to switch Nat reflection from enabled to disabled or default

1:1 NAT by itself will not expose the system to inbound traffic on the IP address.  It will still be blocked unless you have firewall rules that let things through to the local system.

Firewall rules w/policy routing (gateway chosen) determine where traffic goes, NAT only determines how it's translated on that particular interface.

I'm currently setting up a pfsense "development server" to be able to do just that :)

Well, I figured it out ;D

I'll leave it posted here for further reference.

In order for this to work I needed:

A regular port forwarding rule on pfSense1, over the interface that links both boxes, forwarding packages that go to WAN1IP:PORT to the internal IP of my server on the right port (cross subnet routing was already solved and working before all this)

An Outbound NAT rule on pfSense1, over the interface that links both boxes, with the "Source" specified to Subnet2

As you can see, the outbound rule makes everything that "bounces back" through that interface to become NAT'ed, and thus, should enable the ability to access any of the port forwards on the other box considering the right port forwarding rule was added. The routing is correctly configured (I believe!) so no other traffic should bounce back and become NAT'ed unnecessarily.

Why does it always look so simple and straight-forward once you figured it out?? ;)

Cheers!

@tlum:

It may be a bug in v2. I have a working rule that was set up years ago in v1. I'm now entering a new rule in v2 and the rule does not work. I'm still troubleshooting but it looks like the rule was not instantiated correctly.

Nope, rule conflict, see http://forum.pfsense.org/index.php/topic,49119.0.html

I was able to do this when I was running DD-WRT; basically needed to run the PPPoE and an IP on the same interface.  I have never been able to get this to work on pfSense; when and if I need to get on the modem I just connect a computer to it.

Also some searching might help