Multi LAN and 1 WAN routing



  • Hi
    I am new to pfsense(installed v1.2.3), please bear with me as I explain the setup and seek your guidance.
    Pfsense has 5 NIC cards - xl0(LAN), fxp0(DMZ_OPT1), fxp1(OPT2), fxp2(LAB_OPT3), fxp3 (WAN)
    Cable Modem to WAN NIC on the pfsense box.
    WAN -DHCP provided by ISP.
    LAN - IP 192.168.2.0/24;DMZ_OPT1 - IP 192.168.1.0/24;OPT2 - IP 192.168.3.0/24;OPT3 - IP 192.168.4.0/24
    In DMZ i have an Asterisk box, which requires certain ports on UDP for SIP(5060-5062), RTP(10000-20000), IAX(4569).  Asterisk box has a static IP in the DMZ subnet.
    What worked: I connected WAN interface to my cable modem and LAN interface to the local switch.  Everything worked like a charm from LAN to WAN and all services were accessible without additional routing and firewall rules.
    What I have done for Asterisk in DMZ and LAN to DMZ I added the firewall rules to allow the above ports from any WAN source to connect to static IP on DMZ. FROM DMZ allowed all outgoing traffic to any source on all services/protocols.  I left automatic NAT rules as is from default install.  I added LAN to allow all traffic to DMZ.  When I first start the service everything seems to work, but drops all the incoming connections on Asterisk box, stating @78 deny rule.  Where do I find this rule and it is not one that I added.  I have attached the diagram on how it is setup.  What changes in rules would you recommend.  If I put allow all from everywhere it works fine.




  • Hitting the default deny rule means you don't have any user-configured rules that match the traffic.

    Screenshots of your rules may be helpful.



  • Apologize for the delayed response.  Firewall rules in each tab are:
    192.168.1.xxx is a static IP

    Lan Tab
    Proto Source Port Destination Port Gateway Schedule Description

    • LAN net * *         *   *                   Default LAN -> any

    WAN Tab
    Proto         Source Port               Destination         Port                 Gateway Schedule Description
    UDP         *         4569               192.168.1.xxx 4569                   *                   WAN TO PBX IAX2
    TCP/UDP *         5222               192.168.1.xxx 5222 - 5223   *                   WAN TO PBX gtalk Jabber
    UDP         *         5060 - 5080      192.168.1.xxx 5060 - 5080   *                   WAN TO PBX SIP
    UDP         *         10000 - 65534    192.168.1.xxx 10000 - 65534   *                   WAN TO PBX RTP

    DMZ Tab
    Proto         Source         Port                 Destination         Port                 Gateway Schedule Description
    TCP/UDP 192.168.1.xxx 443 (HTTPS) *                 443 (HTTPS) *                   Allow pbx to any 443
    UDP         192.168.1.xxx 4569                 *                 4569                 *                   Allow pbx to wan iax2
    UDP         192.168.1.xxx 5060 - 5080 *                 5060 - 5080 *                   Allow PBX to wan sip
    TCP/UDP 192.168.1.xxx 5222 - 5223 *                 5222 - 5223 *                   Allow pbx to gtalk Jabber
    UDP         192.168.1.xxx 10000 - 65534 *               10000 - 65534 *                   Allow PBX to any RTP

    I have SIP devices trying to connect to my PBX and keep landing in the default deny rule using above the ports.

    1.  I have tried the following, In Firewall->NAT->Port forwarding, all the above ports were forwarded to the PBX server.
    2.  In System->advanced-> I have done these check and unchecked Disable NAT Reflection checkbox.

    What am I doing wrong.



  • Source port isn't the same as destination port, usually should be any.


Locked