Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multi LAN and 1 WAN routing

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 2 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rajkedda
      last edited by

      Hi
      I am new to pfsense(installed v1.2.3), please bear with me as I explain the setup and seek your guidance.
      Pfsense has 5 NIC cards - xl0(LAN), fxp0(DMZ_OPT1), fxp1(OPT2), fxp2(LAB_OPT3), fxp3 (WAN)
      Cable Modem to WAN NIC on the pfsense box.
      WAN -DHCP provided by ISP.
      LAN - IP 192.168.2.0/24;DMZ_OPT1 - IP 192.168.1.0/24;OPT2 - IP 192.168.3.0/24;OPT3 - IP 192.168.4.0/24
      In DMZ i have an Asterisk box, which requires certain ports on UDP for SIP(5060-5062), RTP(10000-20000), IAX(4569).  Asterisk box has a static IP in the DMZ subnet.
      What worked: I connected WAN interface to my cable modem and LAN interface to the local switch.  Everything worked like a charm from LAN to WAN and all services were accessible without additional routing and firewall rules.
      What I have done for Asterisk in DMZ and LAN to DMZ I added the firewall rules to allow the above ports from any WAN source to connect to static IP on DMZ. FROM DMZ allowed all outgoing traffic to any source on all services/protocols.  I left automatic NAT rules as is from default install.  I added LAN to allow all traffic to DMZ.  When I first start the service everything seems to work, but drops all the incoming connections on Asterisk box, stating @78 deny rule.  Where do I find this rule and it is not one that I added.  I have attached the diagram on how it is setup.  What changes in rules would you recommend.  If I put allow all from everywhere it works fine.

      pfsense.jpg
      pfsense.jpg_thumb

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        Hitting the default deny rule means you don't have any user-configured rules that match the traffic.

        Screenshots of your rules may be helpful.

        1 Reply Last reply Reply Quote 0
        • R
          rajkedda
          last edited by

          Apologize for the delayed response.  Firewall rules in each tab are:
          192.168.1.xxx is a static IP

          Lan Tab
          Proto Source Port Destination Port Gateway Schedule Description

          • LAN net * *         *   *                   Default LAN -> any

          WAN Tab
          Proto         Source Port               Destination         Port                 Gateway Schedule Description
          UDP         *         4569               192.168.1.xxx 4569                   *                   WAN TO PBX IAX2
          TCP/UDP *         5222               192.168.1.xxx 5222 - 5223   *                   WAN TO PBX gtalk Jabber
          UDP         *         5060 - 5080      192.168.1.xxx 5060 - 5080   *                   WAN TO PBX SIP
          UDP         *         10000 - 65534    192.168.1.xxx 10000 - 65534   *                   WAN TO PBX RTP

          DMZ Tab
          Proto         Source         Port                 Destination         Port                 Gateway Schedule Description
          TCP/UDP 192.168.1.xxx 443 (HTTPS) *                 443 (HTTPS) *                   Allow pbx to any 443
          UDP         192.168.1.xxx 4569                 *                 4569                 *                   Allow pbx to wan iax2
          UDP         192.168.1.xxx 5060 - 5080 *                 5060 - 5080 *                   Allow PBX to wan sip
          TCP/UDP 192.168.1.xxx 5222 - 5223 *                 5222 - 5223 *                   Allow pbx to gtalk Jabber
          UDP         192.168.1.xxx 10000 - 65534 *               10000 - 65534 *                   Allow PBX to any RTP

          I have SIP devices trying to connect to my PBX and keep landing in the default deny rule using above the ports.

          1.  I have tried the following, In Firewall->NAT->Port forwarding, all the above ports were forwarded to the PBX server.
          2.  In System->advanced-> I have done these check and unchecked Disable NAT Reflection checkbox.

          What am I doing wrong.

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            Source port isn't the same as destination port, usually should be any.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.