Hello,

@vlw:

I want to use the VIP address b/c i have two pfsense firewalls.
My VIP is 192.168.64.1 w/192.168.64.2 and .3 as the interface addresses.
All these ip's are pingable. Another engineer created the VIP but when I look at the VIP page I do not see the 192.168.64.1.  How do I verify this VIP was created correctly.

The rabbit hole is deeper, than expected ;-)
Have you read (and understood  ;D) http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_%28CARP%29 ?

@vlw:

Also, which interface do I put the rule on to allow the traffic from my LAN 170.198.10.0/25 to reach vendor address 167.x.x.x.  Session is initiated from my LAN.  Does it go on LAN interface or DMZ interface and how is it written, ie source/destination.

Firewall rules on the incoming, outbound-nat-rules on the outgoing interface.

Keep smiling
yanosz

Hello,

@Elliot:

I have a setup with 3 interfaces:

WAN Bridged with Public (Multiple public subnets bridged)

Sounds strange - you don't bridge subnets. Bridging happens on osi-2 while subnets life at osi-3. Usually you route between subnets…

@Elliot:

LAN
I have a host on the LAN only, on 192.168.0/24.

I have another host on Public only, on a public IP address, which is NOT the same subnet as pf's main WAN IP.  I can get data through to any server that is on the same subnet as the WAN IP,
but not any other server that is on a different subnet.  Externally everything works, its only when i'm coming out of NAT?

I guess, that you've mixed up bridging and routing.
If you want to access hosts at the wan-interface, that are not part of the wan-interface's subnet you must have a way for packets going back and forward.
In other words: There must be a router routing between those subnets. This can either be done at pfsense (if so, pfsense must be present for every public address range) or by an another router.
The router may nat / masquerade, but must be reachable by all participants. I don't see what bridging will accomplish here.

Keep smiling
yanosz

Hello,

@properdiamondgeezer:

Thanks yanosz,

So am If I am understanding correctly, the NAT on the Netgear router is handling the translation from the public IP to the Netgear router's internal IP. Since my router won't offer transparent bridging, I have no choice, but to leave this on. The NAT on pfsense is handling the translation of the WAN port's IP (in the same range as the Netgear Router) to my internal LAN. Hopefully that's right?

kind of  ;) - just to be clear "(in the same range as the Netgear Router)" is (usually) private (non-wan-style) address range.

Keep smiling
yanosz

Hello,

@GruensFroeschli:

In your rule for the VPN you've set a single address.
This mean that traffic on this interface is only NATed when this rule matches. –> only when you acces the remote end of the tunnel.

Set the destination to "any" and all traffic leaving via the VPN should be NATed.

Thanks for your reply - but:
There is just one machine at the remote end of the tunnel, thus: If a packet goes done the tunnel it's meant for the one (and only) remote machine.
Anyway, I noticed (by accident ;) ) that my settings worked out right after rebooting pfsense. (Maybe natd wasn't restarted, when needed?)

Keep smiling
yanosz

Hello,

@fosiul:

Hi
I dont know how to explain this.. but i know there is a technical term of this …

i have 5 static IP.

btw. really? not having /x ranges is somewhat strange  ;)

@fosiul:

and I have 5 virtual server behind this pfsense.
Now i want to allow those 5 ips to map  to those 5 server

so 1.1.1.1 will map to vps1
    2.2.2.2 will map to vps2
    ….
    .....
    5.5.5.5 will map to vps5

example.. when i buy a vps server from a hosting company, i can access that server by ip, same thing. but here those server is behind the pfsense

how can i do that ???

Guess you've two options

1:1 Nat

Routing

Depending on your wan upllink, you're probably going to try 1:1 Nat first (http://doc.pfsense.org/index.php/1:1_NAT). Routing looks more elegant (in general), but requires exchanging routing-information with your isp (rip, ospf, bgp, etc.).

Keep smiling
yanosz

I have never heard of it working, even with any kind of manual hacking, on 1.2.x

Update to 1.2.3 RELEASE
And read the answer in your other thread…
(please dont post the same thing in multiple places)

You go to firewall –> NAT and create a rule.
external address: WAN
external port: 110
NAT IP: internal_IP_of_your_server
local port: 110

If you leave the checkbox at the bottom for the firewall active, a firewall rule will be autogenerated to allow your NAT mapping.

Hii danswartz,
Thanks a bunch for the reply.
I picked 1.2.2 because it was the only one which worked ok. I tried 1.2.3 RC but I had problems.
Also I tried the new NanoBSD  V2. It was loaded ok. GUI worked but I see very few options for fine configuring the  firewall, DHCP etc.
Do you know a known image which works ok with IP120?
Thanks a bunch.
RW

…Also, i know less about phone systems than i do about astrophysics, but some how our phone lines and network are tied together...

The subnet on your OPT2 is not a private subnet.
You dont need any NAT. Just create a firewall rule on the OPT2 interface similar to the default rule on the LAN interface.

I'm not really familiar with all of the bugs that might be in reflection on that version.  There could even be some duplicate port numbers in the configuration for inetd.

Hi,

I got it resolved now. Thanks for your support.

Your mention of a stealth firewall reminded me that on the LAN interface I set deny rules to reject rather than block for responsiveness.

Changing the default deny at the bottom of the DMZ rules to reject remedied the situation.
Thanks for putting me back on the path!

Not an expert on this particular setup, but I think you want the actual subnet on the inside.  e.g. 192.168.5.0/24?

I test with newer release and problem remains, but this time I had more time to test and debug, and I saw that the problem is only with host 10.0.0.22 which is the mail server.

For this I have port Redirection on typical mail ports, http and Dns, all ports point from VIP(Proxy arp) called IP Publica1 at logs, the one that ends on 98 at screenshots.

NAT Rules have NAT Reflection and Accept for fw.
All port are redirected to 10.0.0.22 but 53UDP/TCP (DNS) redirects to 10.0.0.31.

about 2 hours after leave it working It shuddenly stop working for vip ippublica1(.98), but the port redirections that goes to IpPublica3 (.100) works ok.

ssh connection showing logs with 10 option hangs too, it shows somme lines, but in 2 or 3 minutes hangs and down show anything, a bit later putty says connection lost.

Any idea???

@decibel83:

Response: 227 Entering Passive Mode (192,168,33,9,206,91).

The port of FTP Passive Mode should around ( (206 X 256) + 91) = 52827

Hi,

I had the same problems, but I solved it with adding the MAC to 'Pass throught MAC' and also the IP address to 'allowed IP addresses' for the Server which should reachable.
CP is not disabled and everything is working flawless!

Cheers

Not only can you, the extra forwards are useless.  If you are ssh'ing to server X, and then once you get to X you say 'ssh Y', that second ssh is invisible to pfsense, since the traffic is inside the first ssh tunnel.