I had a chance to play with this some more over the weekend, which
proved enlightening. So yes cmb, I suspect Packet Capture does see
all frames, but I unfortuantely was only looking at ones (filtered) by
specific IP addresses… otherwise there are just so many... :-)

Silly me for thinking that if I do not define any NAT options or parameters
that NAT would not be active and that all the addresses in my public (LAN)
network would appear as public addresses on the WAN with access limited
(filtered) by the firewall rules. Apparently not so.

I discovered that many outgoing connections appear on the WAN as coming
from the WAN interface address. I was seeing ftp packets going out from the
public IP address from my LAN but not seeing anything coming back from the
FTP server on the WAN because, I guess, it was coming back to the WAN
interface address. At least that's what I think was happening.

A similar thing may have been happening with HTTP as the web servers were
being told the client was at the WAN interface address. But HTTP being the
way it is, all the magic port assignments seemed to allow communications.
Except for the (secured) web server that wouldn't let me talk to it because
it did not recognise the request as coming from my proper public IP address.

I wonder if any other similar failures have gone unnoticed... Oddly, as best
I can tell without looking too deeply, not all protocols or ports are afflicted
with NAT translations (eg. DNS, NTP). Or so it seems.

Anyways, that is what I think was happening, so locating the solution became
less difficult. The first was to force NAT into a full 1:1 for all addresses of the
public LAN network. And suddenly everything behaved as expected. I also
found I could configure NAT Outbound for "Advanced Outbound NAT (AON)",
and once I removed the automatically generated mapping (which essentially
turned NAT back on for the LAN network) my "firewall" now seems to behave
like a simple router with access controlled by the firewall rules. Which is all I
wanted in the first place ;-)

Thankfully, with active mode FTP now working I can close up all those high
ports needed for passive mode... I was astonished at how quickly and how
often they were probed. And now sites expecting to "see" my public IP
addresses are happy.

All in all, I'm very pleased with pfSense. My praises to all involved in making it
such a useful, flexible, and effective product!

Thanks its working.

The problem was that WAN LAN selection. I didn't think about it :)

Thanks again

ahh. sorry i did see that but i read that to mean it would only shape one interface, not that it doesn't work at all if you have multiple interfaces.

thanks for the reply, at least i know

Ouch. OK I'll leave this as "has to be done like it's done" until we are at 1.3beta/rc. But thanks for the message.

After some experimenting on vmware i found out the problem.
When using the 1.2 version of 26 feb there is no problem and everything works as expected.
However when using the 1.2 version of 23 Apr with the bountyshaper, the firewall rules on opt1 have no effect.

Oh, I think what the original poster is saying is he doesn't want the name of the firewall to show up in the traceroute?

That comes from the reverse DNS, on the System -> General page you have it set to pfsense.local so when you traceroute and it does a reverse DNS lookup that's what you get. You can change the name thee to have it show up as something else but there really isn't any point in that at all, you should be able to broadcast to the world what firewall you're using without any security risk. Especially when that's just on your internal network.

Thanks dotdash, I set up a virtual IP, then did a 1:1 from the WAN subnet to the LAN subnet, then passed ICMP from the WAN to the PC and by-golly, it worked.

Thanks again!

If you install the Squid and SquidGuard package, you will be able to create ACLs for specific URL's.

You can try first with some port other that 80 (e.g. 443 or 25) and test if that rule works. It should work with the given settings and * as gateway though. Before you check the "disable anti-lockout rule" box, make sure you have a rule in place to access the webgui from a specific ip or the complete net (destination: lan address) or you will lock yourself out of the webgui completely.

Hi,

Sorry for late reply - I don't get to my pfSense box too often to check rules.

Yep - I'm a monkey - I had my subnets round wrong way - source and destination mixed up.

Subnets are now isolated as per rules in my first post. :D

Next time I'll double check my own notes and this forum. (I'll soon have pfSense box and servers locally, which will speed my development/breaking things up!=)

Thanks for your help - these forums are prolly one of the most useful/friendly for this stuff and in general!!!

Now I just have to work out how to allow my email server (on LAN) to dish out its SSL cert without bumping off every other SSL session I try to start in web browser (on OPT1) eg other web based email, online banking sessions etc.

Must be how I set the certificate's domain?

It stopped as soon as I killed the NAT and auto-created rule for email servers SSL port (443), but now I'm without email. =)

I'd better ask this on another forum - I'm not sure I can fix this with pfSense.

If anyone has any ideas how to fix this with pfSense - just tell me, and I'll start another thread.

Thanks again!

:D

Allow access to "destination: !LAN" (not LAN)

If you have multiple LAN's you could create an Alias which contains all your LAN's and set the destination as !yourAlias (not yourAlias)

mad shit :D

Hi Gruens,

Thanks for the reply, I did get it wrong thanks for pointing that out.

The situation is that we can have to set all the inbound firewall rules on the WAN interface, but would much rather move the rules "backwards" a step by allowing all traffic through on the WAN and having firewall rules per VLAN.
That way we can just plonk new servers/subnets into the relevant VLAN and it inherits all the rules without us having to add rules for each subnet individually.

Hope this makes sense and I hope someone has a bright idea on how to get this working ;)

hm…. someone pls say something  ???

tried a fresh config, 2nd LAN works fine now, thank you very much for the help. i've been testing pfSense for a week or so and the support here as well as the features are most impressive.