Pfsense newbie - mobile me mail issue - go gentle please

ikilby

ok I am totally new to PFsense and have just this weekend set this up.

So network looks like this

ISP–--public ip 78.x.x.x176 (Netgear modem) public ip (78.x.x.177)----78.x.x.178 (Pfsense) 192.168.6.254 -----LAN

I have the following rules in firewall - WAN

Proto  Source  Port  Destination  Port  Gateway  Schedule  Description 
  * RFC 1918 networks * * * * * Block private networks
  * Reserved/not assigned by IANA * * * * * Block bogon networks
[TCP/UDP * * 192.x.6.7 3074 *   NAT Xbox Live1 - Xbox1
TCP/UDP * * 192.x.6.6 3074 *   NAT Xbox Live 2 - Xbox2
TCP/UDP * * 192.x.6.5 3074 *   NAT Xbox Live 3 - Xbox3

LAN Rules
Proto  Source  Port  Destination  Port  Gateway  Schedule  Description

• LAN net * * * *   Default LAN -> any

I have the following port forward

If  Proto  Ext. port range  NAT IP  Int. port range  Description 
WAN TCP/UDP 3074  192.x.6.7 (ext.: 78.x.x.179) 3074  Xbox Live Xbox1 
WAN TCP/UDP 3074  192.x.6.6(ext.: 78.x.x.180) 3074  Xbox Live Xbox2 
WAN TCP/UDP 3074  192.x.6.5(ext.: 78.x.x.181) 3074  Xbox Live Xbox3

Using static public IP.s I am 1:1 NAT

Interface  External IP  Internal IP  Description 
WAN 78.x.x.179/32 192.x.6.7/32 Xbox 
WAN 78.x.x.180/32 192.x.6.6/32 Xbox 
WAN 78.x.x.181/32 192.x.6.5/32 Xbox 
WAN 78.x.x.182/32 192.x.6.4/32 PS3 
WAN 78.x.x.183/32 192.x.6.253/32 Mini Mac

Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))

Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description
[add new mapping]
WAN  192.x.6.0/24 * * * * * YES Auto created rule for LAN

Everything seems to working ok - web works, the direct IP's for the Xbox's work so they are Open NAT.

However, my issue is the my MAC on 192.x.6.10 cannot pick up mobile me mail it cannot connect to the server

I have UPNP on with default deny and the IP of 192.x.6.10 allowed.

Can anyone point me at my error - I thought if 192.x.6.10 created a connection then it would be alowed?

Help please
Regards
Ian

gloomrider

Is your netgear a DSL modem?  Can't you put it in bridge mode and use PPPoE?  Could you be double-natting in your setup?

EDIT: Doesn't Xbox360 support UPNP?  You could do away with your manual firewall rules(?)

ikilby

Hi, thanks for taking the time to answer.

The Netgear DSL router has DGteam firmware on it and it has been set as modem only so it is not routing.

I think it is a NAT issue as SMTP mail works, but mobileme uses IMAP.

I will try removing the Xbox rules later, but at the moment it works and I can have 3 x Xbox's working at one time with Open NAT !! Yipeee

Regards
Ian

gloomrider

I believe Mobile Me requires UPNP to work.

If your DSL modem can be configured to use bridge mode (that is, just bridging ethernet packets to ATM on the DSL side), you can eliminate the firewall in the modem and probably increase your performance.  You might need to run PPPoE in pfSense to authenticate to your ISP.

ikilby

the Netgear is bridging it is not routing and the Firewall is off.

UPNP is on on PFsense and working for my Xbox's.

I think I have an issue with IMAP or IMAP/S that is being blocked, but I have opened this port and still nothing.

gloomrider

Your pfSense router has a static IP to the Netgear?  Does your ISP require authentication?

dreamslacker

@ikilby:

the Netgear is bridging it is not routing and the Firewall is off.

UPNP is on on PFsense and working for my Xbox's.

I think I have an issue with IMAP or IMAP/S that is being blocked, but I have opened this port and still nothing.

Out of curiosity, if your netgear is in true Bridge mode, then it shouldn't have a public IP assigned to it?
ie.  If your ISP's BGP address is 78.xx.xx.176 then the pfsense should be having that as the next hop gateway address rather than 78.xx.xx.177 which apparently, your netgear is holding for some reason or another.

gloomrider

@dreamslacker:

@ikilby:

the Netgear is bridging it is not routing and the Firewall is off.

UPNP is on on PFsense and working for my Xbox's.

I think I have an issue with IMAP or IMAP/S that is being blocked, but I have opened this port and still nothing.

Out of curiosity, if your netgear is in true Bridge mode, then it shouldn't have a public IP assigned to it?
ie.  If your ISP's BGP address is 78.xx.xx.176 then the pfsense should be having that as the next hop gateway address rather than 78.xx.xx.177 which apparently, your netgear is holding for some reason or another.

This is where I was going as well.

ikilby

ok lets see if I can clear this up.

My Netgear has 78.x.x.176 on it's WAN 78.x.x.177 on it's LAN Subnet address is 255.255.248.0

My PFSENSE has 78.x.x.178 on its WAN and its Gateway as 78.x.x.177

My PFSENSE LAN is 192.x.6.254 and is my LAN gateway.

My Netgear is running DGteam firmware and has been switch to modem only and does not require authentication.

with PFsense setup I have internet access from all PC's on my LAN, all my Xbox's have 1:1 NAT and are now Open NAT.

My only issue is my Macbook Pro cannot collect mail from Mobileme - mobile me uses IMAP / IMAP/s and I guess maybe my firewall or NAT is blocking.

However, I cannot see it being blocked in system.
So as most things are working it cannot be an issue with the Netgear as it has no Firewall on it anymore and will pass all traffic.
I suppose I could assign a 78.x.x.x address and plug into the Netgear and try from their.

Any other suggestions
Ian

dreamslacker

@ikilby:

ok lets see if I can clear this up.

My Netgear has 78.x.x.176 on it's WAN 78.x.x.177 on it's LAN Subnet address is 255.255.248.0

My PFSENSE has 78.x.x.178 on its WAN and its Gateway as 78.x.x.177

My PFSENSE LAN is 192.x.6.254 and is my LAN gateway.

My Netgear is running DGteam firmware and has been switch to modem only and does not require authentication.

with PFsense setup I have internet access from all PC's on my LAN, all my Xbox's have 1:1 NAT and are now Open NAT.

My only issue is my Macbook Pro cannot collect mail from Mobileme - mobile me uses IMAP / IMAP/s and I guess maybe my firewall or NAT is blocking.

However, I cannot see it being blocked in system.
So as most things are working it cannot be an issue with the Netgear as it has no Firewall on it anymore and will pass all traffic.
I suppose I could assign a 78.x.x.x address and plug into the Netgear and try from their.

Any other suggestions
Ian

Evidently, your netgear isn't operating in true bridge mode.  It's still a router, just that it's supposed to allow all traffic through.  Try this:  Set your PFsense's gateway to the ISP's gateway address and see if your traffic actually goes through the netgear without RIP being enabled on either box.  ;)
A real bridge will have no WAN IP to speak of.  The LAN IP on the bridge is for configuring the bridge only and is usually a private subnet address.

ikilby

guys problem sorted.

You were right I did a capture of my MAC trying to get email and the Netgear interface was doing an ICMP redirect to the ISP's gateway.

Changed my WAN gateway to that IP rather than the Netgear and mail is working fine.

To be honest I was fooled by we and everything else working.

Thanks for your help and I must say Pfsense is some special software I am well impressed.

Regards
Ian

dreamslacker

@ikilby:

guys problem sorted.

You were right I did a capture of my MAC trying to get email and the Netgear interface was doing an ICMP redirect to the ISP's gateway.

Changed my WAN gateway to that IP rather than the Netgear and mail is working fine.

To be honest I was fooled by we and everything else working.

Thanks for your help and I must say Pfsense is some special software I am well impressed.

Regards
Ian

Glad you solved the problem.
I'd still recommend that you ditch the Netgear for a true bridge since it would end up becoming the weakest link.  As a router, even one that passes all connections through, it would cripple long before the pFsense box does.
A cheap and decent modem would be the Thomson Speedtouch ST516/ 536v6 set to bridged mode via the Residential CD.

gloomrider

+1 on the advice for a standalone DSL modem in bridged mode.  Forgive the thread creep, but where would one purchase a Speedtouch?

Thanks in advance.

PS: I'm using a Netopia 2241N-VGx purchased from http://costcentral.com

dreamslacker

@gloomrider:

+1 on the advice for a standalone DSL modem in bridged mode.  Forgive the thread creep, but where would one purchase a Speedtouch?

Thanks in advance.

PS: I'm using a Netopia 2241N-VGx purchased from http://costcentral.com

Don't think they sell it in the States but almost any modem will do the job.
A D-link DSL-2320B will do the job (possibly better reliability because it doesn't run as hot as the Speedtouch modems).  Available on Newegg @ http://www.newegg.com/Product/Product.aspx?Item=N82E16825112003
It is capable of acting as a gateway but has the option to be switched into a bridge.