Turn off NAT with Shaper possible?

EmL

Hi,

i'd read that transparent bridge mode is not possible with rules in 2 directions. My plan now is to configure pfSense as a router without NAT (i think i can do this with advanced outbound nat settings) and put it in front of a other router.

Here is what i want to do:

<=== (LAN 192.168.100.X) pFsense (WAN 192.168.200.X) <===> (192.168.200.X) Other Router doing NAT (WAN 123.123.123.13) ===>

Is the shaper working in both (LAN<->WAN) directions under this circumstances? Or ist it a problem for the shaper if i'll try to turn of NAT …?!

Thx

stechnique

I don't have an answer to your question, but I achieved similar goals (from what I understand) using a setup like this:

WAN (xx.xx.xx.xx) => pf WAN (192.168.15.1) => pf LAN bridged (192.168.16.1) => Cisco PIX with NAT, etc (10.0.x.x)
pf was primarily used as a transparent bridge for traffic shaping. Worked a charm.

eri--

NAT has nothing to do with the shaper.

cmcquistion

@stechnique:

I don't have an answer to your question, but I achieved similar goals (from what I understand) using a setup like this:

WAN (xx.xx.xx.xx) => pf WAN (192.168.15.1) => pf LAN bridged (192.168.16.1) => Cisco PIX with NAT, etc (10.0.x.x)
pf was primarily used as a transparent bridge for traffic shaping. Worked a charm.

Can you give more details about this?  I believe this is what I'm trying to achieve as well.  At the moment, I have a firewall that I don't really want to replace, I just want to put a pfSense box between the firewall and the router, in transparent mode, and have it do shaping for our VoIP traffic (and lower priority of P2P traffic.)

Is this similar to your setup?  Can you tell me how you configured your traffic shaper rules in particular, or provide a screenshot?  There seems to be some conflicting information about how to get the shaper working in transparent bridge mode.

On a related topic, I would also like to do transparent proxy caching, with pfSense, if it is possible with these other roles as well.

stechnique

I don't have a screenshot since I have now removed the PIX environment and moved to an all-pfsense setup. I bridged LAN with WAN in the interfaces menu to make sure I had no NAT problems.
My firewall rules were * * * * pass on all interfaces since I had the PIX already configured.
I setup the traffic shaper with the wizard and then just changed the shaping rules to match my SIP packets (I use my SIP provider's network IPs as source to match packets). I used RED in the VoIP queues and tweaked the ACK queues' bandwidth settings to make sure shaper settings were optimal.
Shaping worked right out of the box though, and it's easier to shape with this setup as described:

ISP WAN <===> pf WAN <=BRIDGED=> pf LAN <===> existing router.

cmcquistion

My SIP provider has several IP's it seems.  Can I set up the rule to watch the packets by their source or destination address of my Asterisk box?

stechnique

Sure, there's several ways to make it work.
You could also just use the standard:
UDP * * 5060
UDP * * 10000-20000
In fact after running the shaper wizard, check queue status while making a call and it should already work pretty well for you.
I would tweak queue bandwidth and and RED to the VoIP queues but that's about it.