Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT Problems importing 1.2.3 config on 2.0 Pfsense?

    Scheduled Pinned Locked Moved NAT
    7 Posts 2 Posters 5.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kaneda
      last edited by

      Hello boys, another user told me at 2.0 Bugs Forum thats I have a NAT problem on my config, so I thought that perhaps this is a better place to find a solution to my problem I posted below Rules.debug too.

      I install latest snapshot and load config from previous version (1.2.3), now, at this moment only appears to be affected connections to IPPublica4, wich is nated to mail server at dmz, none service can be reached to that server (no webmail neither imap, pop, smtp…) but maybe all port redirection is not working

      IPPublica1=Mail server
      IPPublica3=web server
      IPPublica4=Wan Firewall
      IPPublica5=Default WAN Router
      here is Rules.debug:

      #System aliases

      loopback = "{ lo0 }"
      WAN = "{ em1 }"
      LAN = "{ bge0 }"
      DMZ = "{ em2 }"
      WAN2_ADSL = "{ em0 }"
      pptp = "{ pptp }"
      IPsec = "{ enc0 }"
      OpenVPN = "{ openvpn }"

      #SSH Lockout Table
      table <sshlockout>persist
      #Snort2C table
      table <snort2c>table <virusprot># User Aliases
      table <correo>{   10.0.0.22 }
      Correo = "<correo>"
      table <red_dmz>{   10.0.0.1/24 }
      RED_DMZ = "<red_dmz>"
      table <red_local>{   172.26.0.0/24 }
      Red_Local = "<red_local>"
      table <servidor_web>{   10.0.0.25 }
      Servidor_Web = "<servidor_web>"
      table <voip>{   172.26.253.0/24  172.26.0.246/32 }
      Voip = "<voip>"

      Gateways

      GWGW_WAN = " route-to ( em1 IPPublica5 ) "
      GWGW_OPT2 = " route-to ( em0 10.1.0.1 ) "
      GWSROUTE0 = " route-to ( bge0 172.26.254.26 ) "
      GWSROUTE1 = " route-to ( bge0 172.26.254.66 ) "
      GWSROUTE2 = " route-to ( bge0 172.26.254.70 ) "
      GWSROUTE3 = " route-to ( bge0 172.26.254.34 ) "
      GWSROUTE4 = " route-to ( bge0 172.26.254.2 ) "

      set loginterface em1
      set loginterface bge0
      set loginterface em2
      set loginterface em0
      set optimization normal
      set limit states 198000

      set skip on pfsync0

      scrub in on $WAN all    fragment reassemble
      scrub in on $LAN all    fragment reassemble
      scrub in on $DMZ all    fragment reassemble
      scrub in on $WAN2_ADSL all    fragment reassemble

      nat-anchor "natearly/"
      nat-anchor "natrules/      "

      Outbound NAT rules

      nat on $LAN  from 172.26.0.0/24 to any -> 172.26.0.10/32 port 1024:65535
      nat on $WAN2_ADSL  from 172.26.0.0/24 to any -> 10.1.0.2/32 port 1024:65535
      nat on $WAN  from 172.26.0.0/24 to any -> IPPublica4/32 port 1024:65535
      nat on $WAN  from 10.0.0.22/32 to !172.26.0.0/24 port 25 -> IPPublica1/32 port 1024:65535
      nat on $WAN  from 10.0.0.22/32 to !172.26.0.0/24 port 53 -> IPPublica1/32 port 1024:65535
      nat on $WAN  from 10.0.0.22/32 port 53 to !172.26.0.0/24 -> IPPublica1/32 port 1024:65535
      nat on $WAN  from 10.0.0.31/32 port 53 to !172.26.0.0/24 -> IPPublica1/32 port 1024:65535
      nat on $WAN  from 10.0.0.30/32 port 53 to !172.26.0.0/24 -> IPPublica3/32 port 53
      nat on $WAN  from 10.0.0.30/32 to !172.26.0.0/24 -> IPPublica4/32 port 1024:65535
      nat on $LAN  from 10.0.0.30/32 to 172.26.0.0/24 port 1433 -> 172.26.0.10/32 port 1024:65535
      nat on $LAN  from 10.0.0.25/32 to 172.26.0.250/32 port 445 -> 172.26.0.10/32 port 1024:65535
      nat on $WAN  from 10.0.0.25/32 to !172.26.0.0/24 -> IPPublica3/32 port 1024:65535
      nat on $LAN  from 10.0.0.22/32 to 172.26.0.201/32 -> 172.26.0.10/32 port 1024:65535
      nat on $WAN  from 172.26.0.0/24 to 10.0.0.0/24 -> IPPublica4/32 port 1024:65535
      nat on $WAN  from 10.0.0.22/32 to !172.26.0.0/24 port 80 -> IPPublica1/32 port 1024:65535

      Load balancing anchor

      rdr-anchor "relayd/*"

      TFTP proxy

      rdr-anchor "tftp-proxy/*"
      table <vpns>{ 192.168.3.0/24 192.168.1.0/24 192.168.0.0/24 192.168.2.0/24 192.168.222.0/24 }
      table <direct_networks>{ 213.201.119.96/29 172.26.0.0/24 10.0.0.0/24 10.1.0.0/24 172.26.0.16/32 }

      NAT Inbound Redirects

      rdr on em1 proto tcp from any to IPPublica1 port 80 -> 10.0.0.22

      Reflection redirects

      rdr on { bge0 em2 pptp enc0 openvpn } proto tcp from any to IPPublica1 port 80 tag PFREFLECT -> 127.0.0.1 port 19000

      rdr on em1 proto tcp from any to IPPublica1 port 25 -> 10.0.0.22

      Reflection redirects

      rdr on { bge0 em2 pptp enc0 openvpn } proto tcp from any to IPPublica1 port 25 tag PFREFLECT -> 127.0.0.1 port 19001

      rdr on em1 proto tcp from any to IPPublica1 port 5222:5223 -> 10.0.0.22

      Reflection redirects

      rdr on { bge0 em2 pptp enc0 openvpn } proto tcp from any to IPPublica1 port 5222:5223 tag PFREFLECT -> 127.0.0.1 port 19002:19003

      rdr on em1 proto tcp from any to IPPublica1 port 993 -> 10.0.0.22

      Reflection redirects

      rdr on { bge0 em2 pptp enc0 openvpn } proto tcp from any to IPPublica1 port 993 tag PFREFLECT -> 127.0.0.1 port 19004

      rdr on em1 proto tcp from any to IPPublica1 port 465 -> 10.0.0.22

      Reflection redirects

      rdr on { bge0 em2 pptp enc0 openvpn } proto tcp from any to IPPublica1 port 465 tag PFREFLECT -> 127.0.0.1 port 19005

      rdr on em1 proto tcp from any to IPPublica1 port 443 -> 10.0.0.22

      Reflection redirects

      rdr on { bge0 em2 pptp enc0 openvpn } proto tcp from any to IPPublica1 port 443 tag PFREFLECT -> 127.0.0.1 port 19006

      rdr on em1 proto tcp from any to IPPublica1 port 143 -> 10.0.0.22

      Reflection redirects

      rdr on { bge0 em2 pptp enc0 openvpn } proto tcp from any to IPPublica1 port 143 tag PFREFLECT -> 127.0.0.1 port 19007

      rdr on em1 proto { tcp udp } from any to IPPublica4 port 80 -> 172.26.0.253

      Reflection redirects

      rdr on { bge0 em2 pptp enc0 openvpn } proto { tcp udp } from any to IPPublica4 port 80 tag PFREFLECT -> 127.0.0.1 port 19008

      rdr on em1 proto { tcp udp } from any to IPPublica1 port 53 -> 10.0.0.31

      Reflection redirects

      rdr on { bge0 em2 pptp enc0 openvpn } proto { tcp udp } from any to IPPublica1 port 53 tag PFREFLECT -> 127.0.0.1 port 19009

      rdr on em1 proto { tcp udp } from any to IPPublica3 port 53 -> 10.0.0.30

      Reflection redirects

      rdr on { bge0 em2 pptp enc0 openvpn } proto { tcp udp } from any to IPPublica3 port 53 tag PFREFLECT -> 127.0.0.1 port 19010

      rdr on em1 proto { tcp udp } from any to IPPublica4 port 8080 -> 172.26.0.253

      Reflection redirects

      rdr on { bge0 em2 pptp enc0 openvpn } proto { tcp udp } from any to IPPublica4 port 8080 tag PFREFLECT -> 127.0.0.1 port 19011

      rdr on em1 proto tcp from any to IPPublica3 port 80 -> 10.0.0.30

      Reflection redirects

      rdr on { bge0 em2 pptp enc0 openvpn } proto tcp from any to IPPublica3 port 80 tag PFREFLECT -> 127.0.0.1 port 19012

      rdr on em1 proto { tcp udp } from any to IPPublica3 port 443 -> 10.0.0.30

      Reflection redirects

      rdr on { bge0 em2 pptp enc0 openvpn } proto { tcp udp } from any to IPPublica3 port 443 tag PFREFLECT -> 127.0.0.1 port 19013

      rdr on em1 proto udp from any to IPPublica4 port 69 -> 172.26.0.246

      Reflection redirects

      rdr on { bge0 em2 pptp enc0 openvpn } proto udp from any to IPPublica4 port 69 tag PFREFLECT -> 127.0.0.1 port 19014

      rdr on em1 proto udp from any to IPPublica4 port 5060 -> 172.26.0.246

      Reflection redirects

      rdr on { bge0 em2 pptp enc0 openvpn } proto udp from any to IPPublica4 port 5060 tag PFREFLECT -> 127.0.0.1 port 19015

      rdr on em1 proto udp from any to IPPublica4 port 5061 -> 172.26.0.246

      Reflection redirects

      rdr on { bge0 em2 pptp enc0 openvpn } proto udp from any to IPPublica4 port 5061 tag PFREFLECT -> 127.0.0.1 port 19016

      UPnPd rdr anchor

      rdr-anchor "miniupnpd"

      anchor "relayd/*"
      anchor "firewallrules"
      #---------------------------------------------------------------------------

      default deny rules

      #---------------------------------------------------------------------------
      block in log all label "Default deny rule"
      block out log all label "Default deny rule"

      We use the mighty pf, we cannot be fooled.

      block quick proto { tcp, udp } from any port = 0 to any
      block quick proto { tcp, udp } from any to any port = 0

      Block all IPv6

      block in quick inet6 all
      block out quick inet6 all

      snort2c

      block quick from <snort2c>to any label "Block snort2c hosts"
      block quick from any to <snort2c>label "Block snort2c hosts"

      package manager early specific hook

      anchor "packageearly"

      carp

      anchor "carp"
      block in log quick proto carp from (self) to any
      pass quick proto carp
      pass quick proto pfsync

      SSH lockout

      block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"
      block in quick from <virusprot>to any label "virusprot overload table"
      table <bogons>persist file "/etc/bogons"

      block bogon networks

      http://www.cymru.com/Documents/bogon-bn-nonagg.txt

      anchor "wanbogons"
      block in log quick on $WAN from <bogons>to any label "block bogon networks from WAN"
      antispoof for em1

      block anything from private networks on interfaces with the option set

      antispoof for $WAN
      block in log quick on $WAN from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
      block in log quick on $WAN from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
      block in log quick on $WAN from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
      block in log quick on $WAN from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
      antispoof for bge0
      antispoof for em2
      antispoof for em0
      anchor "spoofing"

      loopback

      anchor "loopback"
      pass in on $loopback all label "pass loopback"
      pass out on $loopback all label "pass loopback"

      anchor "firewallout"

      let out anything from the firewall host itself and decrypted IPsec traffic

      pass out all keep state allow-opts label "let out anything from firewall host itself"
      pass out route-to ( em1 IPPublica5 ) from IPPublica4 to !213.201.119.96/29 keep state allow-opts label "let out anything from firewall host itself"
      pass out route-to ( em0 10.1.0.1 ) from 10.1.0.2 to !10.1.0.0/24 keep state allow-opts label "let out anything from firewall host itself"
      pass out on $IPsec all keep state label "IPsec internal host to host"

      make sure the user cannot lock himself out of the webConfigurator or SSH

      anchor "anti-lockout"
      pass in quick on bge0 from any to (bge0) keep state label "anti-lockout rule"

      PPTPd rules

      anchor "pptp"
      pass in on $WAN proto gre from any to IPPublica4 keep state label "allow gre pptpd"
      pass in on $WAN proto tcp from any to IPPublica4 port = 1723 modulate state label "allow pptpd IPPublica4"

      NAT Reflection rules

      pass in inet tagged PFREFLECT keep state label "NAT REFLECT: Allow traffic to localhost"

      User-defined rules follow

      pass  in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto tcp  from any to IPPublica4 port 1723  flags S/SA keep state  label "USER_RULE: Permitir peticiones PPTP"
      pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto tcp  from any to   10.0.0.22 port 80   label "USER_RULE: NAT "
      pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto tcp  from any to   10.0.0.22 port 22   label "USER_RULE: NAT "
      pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto { tcp udp }  from any to   10.0.0.22 port 53   label "USER_RULE: NAT [ZIMBRA]-REDIRECCION DNS "
      pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto tcp  from any to   10.0.0.22 port 25   label "USER_RULE: NAT [ZIMBRA]-REDIRECCION SMTP"
      pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto tcp  from any to   10.0.0.22 port 5221 >< 5224   label "USER_RULE: NAT [ZIMBRA]-REDIRECCION XMPP"
      pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto tcp  from any to   10.0.0.22 port 993   label "USER_RULE: NAT ZIMBRA REDIRECCION IMAPS"
      pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto tcp  from any to   10.0.0.22 port 465   label "USER_RULE: NAT [ZIMBRA]-Redireccion SMTP Seguro"
      pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto tcp  from any to   10.0.0.22 port 443   label "USER_RULE: NAT [ZIMBRA]-REDIRECCION HTTP SEGURO"
      pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto tcp  from any to   10.0.0.22 port 143   label "USER_RULE: NAT [ZIMBRA]-REDIRECCION IMAP"
      pass  in  quick  on $WAN reply-to ( em1 IPPublica5 )  from   10.0.0.30 to any keep state  label "USER_RULE: SALIDA WAN DE HOSTING1"
      pass  in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to any port 500  keep state  label "USER_RULE: PERMITIR  TUNELES IPSEC "
      pass  in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto esp  from any to any keep state  label "USER_RULE: PROTOCOLO ESP"
      pass  in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto ah  from any to any keep state  label "USER_RULE"
      pass  in  quick  on $WAN reply-to ( em1 IPPublica5 )  inet proto icmp  from any to any keep state  label "USER_RULE: Responder Pings desde WAN"
      pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto tcp  from any to   10.0.0.30 port 80   label "USER_RULE: NAT [WWW2]-REDIRECCION HTTP"
      pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto { tcp udp }  from any to   10.0.0.22 port 53   label "USER_RULE: NAT ENTRADA DNS A CORREO"
      pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto { tcp udp }  from any to   10.0.0.30 port 53   label "USER_RULE: NAT ENTRADA DNS A HOSTING1"
      pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto { tcp udp }  from any to   10.0.0.30 port 53   label "USER_RULE: NAT ENTRADA DNS FIREWALL (PROVISIONAL)"
      pass  in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto { tcp udp }  from any to   10.0.0.31 port 53  keep state  label "USER_RULE: NAT ENTRADA DNS FIREWALL (PROVISIONAL)"
      pass  in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto { tcp udp }  from any to   172.26.0.253 port 8080  keep state  label "USER_RULE: NAT FichaClientes"
      pass  in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto { tcp udp }  from any to   172.26.0.253 port 80  keep state  label "USER_RULE: NAT FichaClientes"
      pass  in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto { tcp udp }  from any to   IPPublica4 port 8080  keep state  label "USER_RULE: NAT FichaClientes"
      pass  in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto { tcp udp }  from any to   IPPublica4 port 80  keep state  label "USER_RULE: NAT FichaClientes"
      pass  in log  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to any port 1194  keep state  label "USER_RULE: Openvpn Nuria"
      pass  in log  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to any port 1193  keep state  label "USER_RULE: Openvpn Esther Laptop"
      pass  in log  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to any port 1195  keep state  label "USER_RULE: Openvpn MariCruz"
      pass  in log  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to any port 1196  keep state  label "USER_RULE: Openvpn Ana"
      pass  in log  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to any port 1197  keep state  label "USER_RULE: Openvpn Guadalupe"
      pass  in log  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to any port 1198  keep state  label "USER_RULE: Openvpn T91MT"
      pass  in log  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to any port 1199  keep state  label "USER_RULE: Openvpn T91MT"
      pass  in log  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to any port 1297  keep state  label "USER_RULE: Openvpn LUIS"
      pass  in log  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to any port 1294  keep state  label "USER_RULE: Permitir entrada OpenVPN (BCN)"
      pass  in log  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to any port 1295  keep state  label "USER_RULE: Permitir entrada OpenVPN (BCN)"
      pass  in log  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to any port 1296  keep state  label "USER_RULE: Permitir entrada VPN Esther"
      pass  in log  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to any port 1298  keep state  label "USER_RULE: Permitir entrada VPN Easy"
      pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto tcp  from any to   10.0.0.30 port 80   label "USER_RULE: NAT REDIRECCION WEB A HOSTING"
      pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto { tcp udp }  from any to   10.0.0.30 port 443   label "USER_RULE: NAT ENTRADA HTTPS A HOSTING1"
      pass  in  quick  on $WAN  proto tcp  from any  to <vpns>flags S/SA keep state  label "NEGATE_ROUTE: Negate policy route for vpn(s)"
      pass  in  quick  on $WAN  $GWGW_OPT2  proto tcp  from any to any port 21  flags S/SA keep state  label "USER_RULE: SALIDA FTP POR ADSL"
      pass  in log  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to IPPublica4 port 69  keep state  label "USER_RULE: Entrada TFTP"
      pass  in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to   172.26.0.246 port 69  keep state  label "USER_RULE: NAT TFTP Centralita"
      pass  in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to   172.26.0.246 port 5060  keep state  label "USER_RULE: NAT TFTP Centralita"
      pass   in  quick  on $WAN reply-to ( em1 IPPublica5 )  proto udp  from any to   172.26.0.246 port 5061   label "USER_RULE: NAT TFTP Centralita"
      pass  in  quick  on $pptp  from any to   172.26.0.0/24 keep state  label "USER_RULE: Acceso a LAN desde PPTP"
      pass  in  quick  on $pptp  from any to   10.0.0.0/24 keep state  label "USER_RULE: Acceso a DMZ desde VPN PPTP"
      pass  in  quick  on $pptp  from any to any keep state  label "USER_RULE"
      pass  in  quick  on $DMZ  from   10.0.0.25 to any keep state  label "USER_RULE"
      pass  in log  quick  on $DMZ  from   10.0.0.22 to any keep state  label "USER_RULE: SALIDA TEMPORAL DE CORREO [BORARR ASAP]"
      pass  in  quick  on $DMZ  proto tcp  from   10.0.0.25 to any port 25  flags S/SA keep state  label "USER_RULE: SALIENTES SMTP [VIEJO]"
      pass  in  quick  on $DMZ  proto { tcp udp }  from   10.0.0.25 to   172.26.0.253 keep state  label "USER_RULE: [WWW VIEJO] A SQL SERVER"
      pass  in  quick  on $DMZ  proto tcp  from   10.0.0.30  os Linux to   172.26.0.253 port 1433  flags S/SA keep state  label "USER_RULE: [WWW NUEVO] A SQL SERVER (SOLO SQL)"
      pass  in  quick  on $DMZ  proto tcp  from   10.0.0.30  os Linux to   172.26.0.249 port 1433  flags S/SA keep state  label "USER_RULE: [WWW NUEVO] A SQL SERVER NUEVO(SOLO SQL)"
      pass  in  quick  on $DMZ  proto { tcp udp }  from   10.0.0.25 to   172.26.0.250 keep state  label "USER_RULE: [WWW VIEJO] SALIDA A ANTIVIRUS"
      pass  in  quick  on $DMZ  proto { tcp udp }  from   10.0.0.25 to any port 53  keep state  label "USER_RULE: [WWW VIEJO] DNS TCP"
      pass  in  quick  on $DMZ  proto { tcp udp }  from   10.0.0.31 to any port 53  keep state  label "USER_RULE: [HOSTING1 ] DNS "
      pass  in  quick  on $DMZ  proto { tcp udp }  from   10.0.0.30 to any port 53  keep state  label "USER_RULE: [HOSTING VIRTUAL1] DNS "
      pass  in  quick  on $DMZ  proto tcp  from 172.26.0.0/24 to   10.0.0.25 flags S/SA keep state  label "USER_RULE"
      pass  in  quick  on $DMZ  from   10.0.0.30 to  ! 172.26.0.0/24 keep state  label "USER_RULE: SALIDA HTTP HOSTING"
      pass  in  quick  on $DMZ  from   10.0.0.12 to  ! 172.26.0.0/24 keep state  label "USER_RULE: SALIDA HTTP VMWARE"
      pass  in  quick  on $OpenVPN  from any to any keep state  label "USER_RULE: Auto added OpenVPN rule from config upgrade."
      pass  in  quick  on $LAN  from any to   127.0.0.1 keep state  label "USER_RULE: FTP -PROXY"
      pass  in  quick  on $LAN  from 172.26.0.0/24 to 10.0.0.1/24 keep state  label "USER_RULE: Dejar pasar todo el trafico hacia la DMZ"
      pass  in  quick  on $LAN  from 172.26.0.0/24 to   213.201.119.96/29 keep state  label "USER_RULE: Redirigir salida LAN a HOSTS en WAN"
      pass  in log  quick  on $LAN  from any to   172.26.254.40/29 keep state  label "USER_RULE"
      pass  in  quick  on $LAN  proto tcp  from 172.26.0.0/24  to <vpns>flags S/SA keep state  label "NEGATE_ROUTE: Negate policy route for vpn(s)"
      pass  in  quick  on $LAN  $GWGW_OPT2  proto tcp  from 172.26.0.0/24 to any port 80  flags S/SA keep state  label "USER_RULE: Redirigir salida HTTP A ADSL"
      pass  in  quick  on $LAN  proto tcp  from 172.26.0.0/24  to <vpns>flags S/SA keep state  label "NEGATE_ROUTE: Negate policy route for vpn(s)"
      pass  in  quick  on $LAN  $GWGW_OPT2  proto tcp  from 172.26.0.0/24 to any port 443  flags S/SA keep state  label "USER_RULE: Redirigir salida HTTPS A ADSL"
      pass  in  quick  on $LAN  proto { tcp udp }  from 172.26.0.0/24  to <vpns>keep state  label "NEGATE_ROUTE: Negate policy route for vpn(s)"
      pass  in  quick  on $LAN  $GWGW_OPT2  proto { tcp udp }  from 172.26.0.0/24 to any port 53  keep state  label "USER_RULE: Redirigir salida DNS A ADSL"
      pass  in log  quick  on $LAN  proto { tcp udp }  from 172.26.0.0/24  to <vpns>keep state  label "NEGATE_ROUTE: Negate policy route for vpn(s)"
      pass  in log  quick  on $LAN  $GWGW_OPT2  proto { tcp udp }  from 172.26.0.0/24 to any port 21  keep state  label "USER_RULE: Default LAN -> any"
      pass  in log  quick  on $LAN  from 172.26.0.0/24 to any keep state  label "USER_RULE: Default LAN -> any"
      pass  in  quick  on $LAN  from   172.26.0.254/24 to any keep state  label "USER_RULE: Acceso desde OpenVPN"
      pass  in  quick  on $LAN  from   172.26.254.0/24 to any keep state  label "USER_RULE"
      pass  in  quick  on $IPsec  from   10.0.0.0/24 to   192.168.222.0/24 keep state  label "USER_RULE: Acceso a DMZ"
      pass  in  quick  on $IPsec  from   172.26.0.0/24 to   192.168.222.0/24 keep state  label "USER_RULE"
      pass  in  quick  on $IPsec  from any to   127.0.0.1 keep state  label "USER_RULE: FTP- PROXY"
      pass  in  quick  on $IPsec  from 172.26.0.0/24 to   192.168.2.0/24 keep state  label "USER_RULE"
      pass  in  quick  on $IPsec  from   192.168.2.0/24 to 172.26.0.0/24 keep state  label "USER_RULE"
      pass  in  quick  on $IPsec  proto { tcp udp }  from   192.168.1.0/24 to   172.26.0.0/24 keep state  label "USER_RULE: ACEPTAR ENTRADA DESDE MAFLO LORCA"
      pass  in  quick  on $IPsec  proto tcp  from   192.168.2.0/24  os Windows to   172.26.0.253 port 3389  flags S/SA keep state  label "USER_RULE: Acceso a MAnager desde Milanera"
      pass  in  quick  on $IPsec  proto tcp  from   192.168.3.0/24  os Windows to   172.26.0.253 port 3389  flags S/SA keep state  label "USER_RULE: Acceso a MAnager desde Rio Vena"
      pass  in  quick  on $IPsec  from any to   192.168.2.139 keep state  label "USER_RULE: SALIDA A IMPRESORA RICOH MILANERA"
      pass  in  quick  on $IPsec  from   192.168.2.139 to any keep state  label "USER_RULE: ENTRADA DESDE IMPRESORA RICOH MILANERA"
      pass  in  quick  on $IPsec  proto esp  from any to any keep state  label "USER_RULE: PERMITIR TRAFICO DE TUNELES IPSEC ESP"
      pass  in  quick  on $IPsec  proto udp  from any to any keep state  label "USER_RULE: IPSEC UDP"
      pass  in  quick  on $IPsec  proto ah  from any to any keep state  label "USER_RULE: IPSEC AH"
      pass  in  quick  on $IPsec  proto pfsync  from any to any keep state  label "USER_RULE"
      pass  in  quick  on $IPsec  proto { tcp udp }  from   172.26.0.0/24 to   192.168.1.0/24 keep state  label "USER_RULE: ACEPTAR ENTRADA DESDE MAFLO LORCA"
      pass  in  quick  on $IPsec  from any to any keep state  label "USER_RULE: TODO IPSEC"
      pass  in  quick  on $IPsec  from   172.26.254.80/29 to   192.168.0.0/24 keep state  label "USER_RULE: ACCESO A EXCLUSIVAS DESDE ESTHER OVPN"

      VPN Rules

      pass out on $WAN  route-to ( em1 IPPublica5 )  proto udp from any to 193.146.168.223 port = 500 keep state label "IPsec: SRB - RIO VENA - outbound isakmp"
      pass in on $WAN  reply-to ( em1 IPPublica5 )  proto udp from 193.146.168.223 to any port = 500 keep state label "IPsec: SRB - RIO VENA - inbound isakmp"
      pass out on $WAN  route-to ( em1 IPPublica5 )  proto udp from any to 193.146.168.223 port = 4500 keep state label "IPsec: SRB - RIO VENA - outbound nat-t"
      pass in on $WAN  reply-to ( em1 IPPublica5 )  proto udp from 193.146.168.223 to any port = 4500 keep state label "IPsec: SRB - RIO VENA - inbound nat-t"
      pass out on $WAN  route-to ( em1 IPPublica5 )  proto esp from any to 193.146.168.223 keep state label "IPsec: SRB - RIO VENA - outbound esp proto"
      pass in on $WAN  reply-to ( em1 IPPublica5 )  proto esp from 193.146.168.223 to any keep state label "IPsec: SRB - RIO VENA - inbound esp proto"
      pass out on $WAN  route-to ( em1 IPPublica5 )  proto udp from any to 84.125.69.198 port = 500 keep state label "IPsec: MAFLO - FCO GARCIA LORCA - outbound isakmp"
      pass in on $WAN  reply-to ( em1 IPPublica5 )  proto udp from 84.125.69.198 to any port = 500 keep state label "IPsec: MAFLO - FCO GARCIA LORCA - inbound isakmp"
      pass out on $WAN  route-to ( em1 IPPublica5 )  proto udp from any to 84.125.69.198 port = 4500 keep state label "IPsec: MAFLO - FCO GARCIA LORCA - outbound nat-t"
      pass in on $WAN  reply-to ( em1 IPPublica5 )  proto udp from 84.125.69.198 to any port = 4500 keep state label "IPsec: MAFLO - FCO GARCIA LORCA - inbound nat-t"
      pass out on $WAN  route-to ( em1 IPPublica5 )  proto esp from any to 84.125.69.198 keep state label "IPsec: MAFLO - FCO GARCIA LORCA - outbound esp proto"
      pass in on $WAN  reply-to ( em1 IPPublica5 )  proto esp from 84.125.69.198 to any keep state label "IPsec: MAFLO - FCO GARCIA LORCA - inbound esp proto"
      pass out on $WAN  route-to ( em1 IPPublica5 )  proto udp from any to 84.125.89.246 port = 500 keep state label "IPsec: EXCLUSIVAS - outbound isakmp"
      pass in on $WAN  reply-to ( em1 IPPublica5 )  proto udp from 84.125.89.246 to any port = 500 keep state label "IPsec: EXCLUSIVAS - inbound isakmp"
      pass out on $WAN  route-to ( em1 IPPublica5 )  proto udp from any to 84.125.89.246 port = 4500 keep state label "IPsec: EXCLUSIVAS - outbound nat-t"
      pass in on $WAN  reply-to ( em1 IPPublica5 )  proto udp from 84.125.89.246 to any port = 4500 keep state label "IPsec: EXCLUSIVAS - inbound nat-t"
      pass out on $WAN  route-to ( em1 IPPublica5 )  proto esp from any to 84.125.89.246 keep state label "IPsec: EXCLUSIVAS - outbound esp proto"
      pass in on $WAN  reply-to ( em1 IPPublica5 )  proto esp from 84.125.89.246 to any keep state label "IPsec: EXCLUSIVAS - inbound esp proto"
      pass out on $WAN  route-to ( em1 IPPublica5 )  proto udp from any to 193.146.174.197 port = 500 keep state label "IPsec: VPN SRB MILANERA - outbound isakmp"
      pass in on $WAN  reply-to ( em1 IPPublica5 )  proto udp from 193.146.174.197 to any port = 500 keep state label "IPsec: VPN SRB MILANERA - inbound isakmp"
      pass out on $WAN  route-to ( em1 IPPublica5 )  proto udp from any to 193.146.174.197 port = 4500 keep state label "IPsec: VPN SRB MILANERA - outbound nat-t"
      pass in on $WAN  reply-to ( em1 IPPublica5 )  proto udp from 193.146.174.197 to any port = 4500 keep state label "IPsec: VPN SRB MILANERA - inbound nat-t"
      pass out on $WAN  route-to ( em1 IPPublica5 )  proto esp from any to 193.146.174.197 keep state label "IPsec: VPN SRB MILANERA - outbound esp proto"
      pass in on $WAN  reply-to ( em1 IPPublica5 )  proto esp from 193.146.174.197 to any keep state label "IPsec: VPN SRB MILANERA - inbound esp proto"
      pass out on $WAN  route-to ( em1 IPPublica5 )  proto udp from any to 87.223.188.155 port = 500 keep state label "IPsec: Kaneda HOme - outbound isakmp"
      pass in on $WAN  reply-to ( em1 IPPublica5 )  proto udp from 87.223.188.155 to any port = 500 keep state label "IPsec: Kaneda HOme - inbound isakmp"
      pass out on $WAN  route-to ( em1 IPPublica5 )  proto udp from any to 87.223.188.155 port = 4500 keep state label "IPsec: Kaneda HOme - outbound nat-t"
      pass in on $WAN  reply-to ( em1 IPPublica5 )  proto udp from 87.223.188.155 to any port = 4500 keep state label "IPsec: Kaneda HOme - inbound nat-t"
      pass out on $WAN  route-to ( em1 IPPublica5 )  proto esp from any to 87.223.188.155 keep state label "IPsec: Kaneda HOme - outbound esp proto"
      pass in on $WAN  reply-to ( em1 IPPublica5 )  proto esp from 87.223.188.155 to any keep state label "IPsec: Kaneda HOme - inbound esp proto"

      package manager late specific hook

      anchor "packagelate"

      anchor "tftp-proxy/*"

      anchor "limitingesr"

      uPnPd

      anchor "miniupnpd"
      –--------------------------------------------------------------------------

      Im getting really crazy with this, any help would be nice.</vpns></vpns></vpns></vpns></vpns></bogons></bogons></virusprot></sshlockout></snort2c></snort2c></direct_networks></vpns></voip></voip></servidor_web></servidor_web></red_local></red_local></red_dmz></red_dmz></correo></correo></virusprot></snort2c></sshlockout>

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Post screenshots of the GUI config for NAT and Firewall rules. Those would probably help more (at least initially) than the rules.debug file.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • K
          kaneda
          last edited by

          Thanks a lot Jimp
          If you cant find it nobody will be able to do it.
          Here are the screenshots
                ___________              ________________            ____________
          –---| LAN        |----------|Pfsense              | -------| Router Wan1|
                ||              ||    ||
                                                  |_____      |          ______
                                                |DMZ                  |            | Router Wan2|
                                                |____|            ||

          IP Ended with .98 ->Public IP for mail server (VIP Proxy ARP) -> 10.0.0.22
          IP Ended with .100 ->Public IP for www server (VIP Proxy ARP) -> 10.0.0.30
          IP Ended with .101 ->Public IP for WAN INterface ->some ports redirected.

          I forgot to tell that one of the many tries that I have do to update, I changed fast the fist screen that is shown at the web interface at first logon after restore config, It says something like "Reinstalling ..." Like it where installing some modules, but the problem is that I have no one at 1.2.3 config, Just the dashboard from 2.0.

          That time It worked four hours, but when I applied the traffic shaping assistant for VOip it start blocking again (Firewall ruleset reconfiguration??) If I do the process normally it simply dont work.
          (6 tries with different x86 snapshots).

          Machine is ML110G6 with 3 added PCIe HP Nics GBe.

          Any info you need simply ask for it, I will provide it ASAP.
          Many thanks for the help, Im really lost.

          Kaneda

          NAT_OUOTBOUND.jpg
          NAT_OUOTBOUND.jpg_thumb
          NAT_PORTFW.jpg
          NAT_PORTFW.jpg_thumb

          1 Reply Last reply Reply Quote 0
          • K
            kaneda
            last edited by

            Firewall rules on WAN

            FW_WAN.jpg
            FW_WAN.jpg_thumb

            1 Reply Last reply Reply Quote 0
            • K
              kaneda
              last edited by

              Firewall rules on DMZ

              FW_DMZ.jpg
              FW_DMZ.jpg_thumb

              1 Reply Last reply Reply Quote 0
              • K
                kaneda
                last edited by

                Any idea?…
                Please tell me if you need any additional info.

                1 Reply Last reply Reply Quote 0
                • K
                  kaneda
                  last edited by

                  I test with newer release and problem remains, but this time I had more time to test and debug, and I saw that the problem is only with host 10.0.0.22 which is the mail server.

                  For this I have port Redirection on typical mail ports, http and Dns, all ports point from VIP(Proxy arp) called IP Publica1 at logs, the one that ends on 98 at screenshots.

                  NAT Rules have NAT Reflection and Accept for fw.
                  All port are redirected to 10.0.0.22 but 53UDP/TCP (DNS) redirects to 10.0.0.31.

                  about 2 hours after leave it working It shuddenly stop working for vip ippublica1(.98), but the port redirections that goes to IpPublica3 (.100) works ok.

                  ssh connection showing logs with 10 option hangs too, it shows somme lines, but in 2 or 3 minutes hangs and down show anything, a bit later putty says connection lost.

                  Any idea???

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.