Can you elaborate the "my modem belkin i disable NAT and Firewall becuase that"?
Is the modem in bridge mode? Do you have a public IP on the pfSense directly?

Depending on how you are setting up access to the pfSense system, you may not even be using a port forward at all for that.  It only needs a firewall rule to allow it in, which is less than what is needed to access the AP from outside your network.

Anyway, I wouldn't recommend exposing it to the internet either.  It would be better to tunnel it through SSH (as already suggested) or a VPN.

This was added in 2.0, which is currently in beta.

@grazman:

I have a need for 1:1 NAT using one public IP address to accept traffic on a particular port and send it internally to another port, which seems simple enough.

This is normal port forwarding and not 1:1 NAT.

I also need outbound traffic destined for a particular CIDR to use a particular public IP address.

I see 1:1 NAT is not supported with NAT reflection. Are there any ways around this?

Firewall –> NAT --> outbound.
Enable manual rule generation and you can create rules to NAT as you want.

For reflection:
http://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F

Port forwards do allow you to specify what the source must be for the rule to match in 2.0.

I've heard NAT is supposed to work on IPsec, though I haven't seen any reports on whether it does actually work after having added it to the list of available interfaces for NAT rules.

thanks a lot.  It turns out the wrt54G than i have on opt1 bridge with my lan is causing the ports to not forward properly.

guess ill try to make the ap work without bridging.

@jimp:

Are you doing a full traffic capture?

It could be doing some other kind of name query (like NBNS) and skipping DNS.

Thanks for the reply.  I just found the issue this evening…there was a registry entry on the server which pointed to the VIP of the SQL server...not sure where it came from but once I fixed that all was well.  Thanks again.

Steve

Why do you need to use both public ips?  I would assign 1 of the 2 to the wan port and leave the second one alone.  I wouldn't "assign" it at all actually.  I would set the wan interface to use dynamic ip.  Then nat behind that.

that test you linked only tests TCP ports, not UDP. There isn't a reliable way to test UDP being open. Probably a host firewall blocking it assuming the basic port forward is correct. http://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

Problem solved!  I moved away from pfSense and got a linksys router running DD-WRT and it works wonderfully.  Maybe someday this will work in pfSense since I like the sw so much better, but DD-WRT has VPN and NAT loopback operates great.

-Mike

So you want to spread your internal users out over multiple public IPs. You can do that via Outbound NAT. Put a few IPs on each outbound entry, one outbound entry per public IP.

Thanks!

I'll focus on the second case for now, since it's easier to explain.
It's definitely some issue on the pfSense box, whether it be a bug or config problem. I'll try to clarify a bit:

Basically, I have a machine (A) on the LAN making a request to another machine (B) on the LAN using an external IP that has NAT reflection enabled. When the UDP packet goes out on A, it hits the router (R), which from what I can tell, copies the packet and sends to machine B with R as the source. Machine B then correctly replies to the packet back to R, but then it seems to be dropped and never gets forwarded back to A.

The packet capture from before shows exactly that. I've confirmed the same results using Wireshark on both machines (essentially tcpdump on Windows).

Edit: I should also add that I can't use the split DNS option. Since this uses the steam service, they refer to all servers by IP afaik.

@timb:

I am currently testing pfSense and ran into an issue with a simple http port forwarding rule. I followed the Port Forwarding Troubleshooting guide and found that the problem was related to common issue 3 - "Client machine is not using pfSense as its default gateway".

I was wondering if someone could explain this limitation. Also, is there a workaround?

It's basic networking - if the reply traffic isn't going to go back to the firewall, as it won't in such a scenario, it can't send it back to the Internet. ISA is a reverse proxy in that scenario, the traffic is sourced from ISA, not the remote public IP.

Efonne's work around would suffice but is ugly, better not to NAT like that where you can avoid it. A better deployment with ISA in most cases is to not use it as the default gateway but just as a proxy/reverse proxy.

Thanks Efonne!  That's the great thing about open source projects, the product can get continuously improved based off of community feedback.

isn't the issue that the web server is looking at the host address in the html header not the IP transmission info?

In reality, the request could appear to be destined for any IP address but the destination address typed in the browser must be http://98.169.xxx.xxx
In the same way you use host header info to host multiple websites on one server.

If the web server were configured to look for a host name rather than an IP address you could use Split DNS. If the webserver cannot be configured to do this you must either use NAT reflection or possibly some sort of HTML proxy to rewrite the HTML header?

cool.

Hi michaelahess and to all pfsense users who are encountering problems with polycom V500 and their equipment in general with NAT.

After researching in the internet for the solutions to the problem with my device above, I stumbled upon a posting for proxy arp. This solved it generally, but I also had the following settings:

1. created a virtual ip with proxy arp for the WAN IP of the NAT router
2. created the port forward rules for the V500 TCP and UDP ports and the TCP port from 17xx something to the internal polycom v500 machine IP

I do hope this will help others who have this problem. I've been trying to fix this problem for the past 2 years and now I finally nailed it. I have promised myself also to give back to the community what I have learned as a pfsense user/admin with 3+ years experience in using pfsense as a router with various services enabled for our campus network.