Yes, i have multiple internal and external interfaces. I added the rules manually, and it works fine now. Thanks! :)

Okay, thanks again for the answer.  I'll play with these some more, I have a server to provision in our network here for a client and need to make sure everything works.

Success!  Everything is working thus far with nothing else broken as a result.  Thanks for pointing what turned out to be obvious and right under my nose…

~Luke~

Yes such a setup should work.
Since you want a purely routed network you need to disable NAT.
Firewall –> NAT --> outbound.
Enable manual outbound rules and delete all autogenerated rules.

Also dont forget to create a static route on the pfSense for the x.x.235.129/25 subnet pointing to 234.46/30

You would need to either separate them physically or with VLANs to use separate subnets that would be "partitioned off" so to speak.

To do VLANs, you would need a managed switch that is capable of handling VLANs and 802.1q trunking (most smart/managed switches do). pfSense would get put on a trunk port, and you'd make a VLAN interface in pfSense for each internal network you want. You'd then go in the switch and set which ports belong on which VLAN.

VLANs can be intricate but for basic usage they're really not that difficult, they may seem intimidating but they're very handy if you spend a little time familiarizing yourself with the concepts.

Doing what you want shouldn't be too difficult, especially if you have your Samba server act as a WINS server and set that in the DHCP settings. People could still see each other's machine names when browsing, but if you have firewall rules in place to keep SMB traffic limited to only the Samba server, they wouldn't be able to actually contact any other machine's shares.

I'm assuming that your box serving web feeds on port 81 can't also serve the same on port 80.

I don't see a good pfsense answer until the 'port forward' rules expand to allow matching particular destination addresses.    It is possible to do this today if you are willing to edit /etc/inc/filter.inc to add a rule.

If hacking in a rule is problematic, it might be easier to choose some third box on your lan that isn't currently involved in serving port 80 or 81.  Then set it up as a 'single function' router that forwards port 80 incoming requests to your actual local port 81 web server.  Then, set up the dns to point to the new third internal box.  It's 'winning ugly', but will get you by until pfsense offers finer control over forwarding.

There's $0.02 worth for Sunday afternoon.

Solved disabling "  Block private networks" and " Block bogon networks"

If all you need is access to an external FTP server, and don't run one in your local network, then all you should need is the helper on the WAN.  Nothing else.

Update

Actually, thinking about it, you might not even need that.  I'm just not sure how the firewall knows to allow the incoming data connection, on an active FTP session, where it should normally block the connection.  A passive FTP session doesn't need any firewall rules.

Cheers.

Unfortunately this isn't currently possible due to limitations in the underlying software. There have been a few proposals to fix it, but it will take some time from a dev with the C skills to pull it off, which in this case means someone may need to donate some $$$ to a bounty to make it happen. Check the expired bounties forum for info from the last time this came up.

It sounds to me like you shouldn't have configured a multi-WAN failover, but I don't know if it's even relevant to what you're asking here.

If i understand this setup correct, your WAN address is 66.x.x.x. That means you need to add 66.y.y.y as a virtual IP, and then use 1:1 NAT for that IP to 172.16.x.x. Once you set that up, you just need to set your firewall rules to allow access to the ports you want open.

@FSPL:

Also, once the inbound traffic can access that IP, is it possible to have them exit the same way they came in?

I don't know what you mean by this exactly. If you want connections that are initiated by 172.16.x.x then you need to set that up in Outbound NAT using AON. You should already be using AON to use the RR connection for web browsing, but it's hard to tell from your diagram because LAN is missing.

Thank you all for your help.

I solved it by turning off automatic outbound nat and manually setting rules for each of the vlan interfaces.

Thanks, much appreciated.
Mike

There is some work happening in 2.0 right now to increase the functionality of the port forward page, and I think what you want to do may be possible in the near future if not already.

As for the proxy ARP IP setting, that is not a subnet mask per se, it will create a range of individual proxy arp IPs.

@GruensFroeschli:

Did you set as external address in your port-forward "any"? (It should be your WAN-address)
Because then you get the described behaviour.

Ah yep… that was it again.

For anyone else reading this... basically if you're port forwarding port 80 to an internal web server... make sure "External address" is set to "Interface Address", and then uncheck the "Disable NAT Reflection"

This will help people who have an in house SVN (Subversion) and you want to be able to connect to it using your laptop while at the office or on the road.

Thanks GruensFroeschli and Cry Havok for all the help!

I have done all that;

It is still not working, the port forwardind is in place but no email.

I read the sticky and followed that but no luck.

any help? please

ok,

will do

Thanks

1. Enable Proxy helper (by unchecking) on the WAN interface.
2. Setup port forward rule using the FTP option to your FTP servers internal LAN IP.
3. Watch the logs within your FTP server, if you have this setup correctly you will see sessions from the ip address of your PFsense box, NOT THE IP ADDRESS OF THE FTP CLIENT. If you are seeing sessions from the FTP clients public IP then the proxy helper is not working or not setup correctly.

I do not understand in what way you can use ftp-helper on wan Interface. The only thing added when you enable ftp-helper on WAN is

pass in quick on bge1 inet proto tcp from any port = ftp-data to (bge1) port > 49000 flags S/SA keep state label "FTP PROXY: PASV mode data connection"

Thus, you have to manually forward port 21 and active port range to your FTP server connected to LAN. But no helper is working here.
Corrected to:
Thus, you have to manually forward port 21 and passive port range to your FTP server connected to LAN. But no helper is working here. And allow FTP server to initiate connections in active ports range

@avalox:

our pfsense only filters incoming traffic. For testing i disabled / enabled the "userland FTP-Proxy application" on all Interfaces in several Interface combinatios but nothing worked.

For active FTP, the server make a return connection, back to the client.  pfSense is possibly blocking that reply, which will be coming in on a port higher than 1024.  Although that doesn't seem to happen on my system, and I will say, I'm not at all sure why.  Do the firewall logs show anything being blocked.

My setup has the WAN Proxy enabled, and the LAN disabled.  This sticky does mention about problems with changing the rules a lot of times.  Maybe try a "clean start".

@avalox:

woukd like to add a tcpdump, but dont get it run?!

tcpdump -vv -i em1 for example show nothing, but there is traffic. Am i doing something wrong?

Is this a nano setup.  If so, then look here.

Cheers.