I'll give it a try.  Hopefully I only have to put one firewall entry in.

EDIT:  That did it.  Seems to be working fine now.  I only had to use one firewall entry too.  So 2 NAT and 1 firewall with tcp/udp.

Looks like your ftpserver hands out his private IP to the client. Check your ftpserver's manpage to see how to make it aware of it's public IP.

Sounds like a wrong subnetmask or a wrong gateway IP to me on Interfaces>WAN

Thanks  ;)

Reply to myself…

Some more info on the subject.

This is what I would like to do, but in pfSense. Doable?

http://www.mail-archive.com/misc@openbsd.org/msg13901.html

and the answer in this case:
http://www.mail-archive.com/misc@openbsd.org/msg14011.html

I just encountered this same issue with a Verizon business connection (FiOS, not DSL), and found that using CARP instead of ProxyARP also seems to work, without having to cycle your WAN IP.

look at this post

http://forum.pfsense.org/index.php/topic,5748.0.html

keyword: VIP (as in Virtual IP)
the search function in the top-bar.
http://pfsense.com –> Documentation

Also you can install pfSense on your IP330 (again: search function of the forum)

So far so good, things have not gone down since converting to carp.

keyword: policy routing
Create a rule at the top of LAN with "source" your IP and "gateway" the interface you want the taffic originating from.

Great thanks so much for your helpfull advice  ;D

Reset states is only needed if you are adding a block rule and you have the suspicion that some connections might already be established that you want to be dropped.

Btw, if you click on the block icon in front of the line of the firewalllog you will get a notification which rule triggered this block ;)

May I suggest that you start reading about networking?

A possible start could be here:
http://en.wikipedia.org/wiki/IP_address
http://en.wikipedia.org/wiki/Subnetwork
http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing
but it's not limited to that.

And no, I didn't say your problems arise from false subnetting.
Wikipedia has an article about NAT (Network address translation) as well.

I doubt that natreflection (or at least the way pfSense does it currently) will work for a crappy protocol like SIP.

Forgot to say thank you..

Thanks,

Mark

Ok m8

Here it goes

1.JPG
1.JPG_thumb
2.JPG
2.JPG_thumb
3.JPG
3.JPG_thumb

Well, I setup up another machine with following those instructions - real basic… Still no good... So I know it's not the pfSense setup (I've setup pfSense countless times in different configs, so I doubted it was setup wrong).

Anyway, I think I figured out the problem after watching the traffic on the network interfaces - the switches weren't configured to be in promiscuous mode... I reconfigured and was able to get to one website across the bridged interface. Tomorrow (well, today now, for me), I will go ahead and try it through pfSense.

Thanks again... If I still need help, I'll go ahead and post back.

This is an old post but for Search reasons, I thought I would reply.

ProxyARP and 1 to 1 NAT do not appear to work for FTP in this case.  There are several articles on the forums and on the net about the issues with Ftp -helper.

1.  Configure the VIP and then create CARP NAT.  Don't worry that you aren't doing true failover - it can work with 1 IP.
2.  Configure Port Forwarding and forward FTP to internal server.
3.  Configure rules on WAN interface to internal server.

Worked like a charm for me.

For pfSense, I redid the IP addresses, moving the DMZ to a private net.  Trying to maintain the bridged net resulted in too many complications.

In the end however, I ended up moving back to Linux as a base because FreeBSD does not support combining NAT and IPSEC.  I did however keep the DMZ as a private net.

Denny

It was a problem from my ISP. It is working now.