Hi,
Here is what you requested.
#################
## rules.debug ##
#################
# System Aliases
loopback = "{ lo0 }"
lan = "{ em0 }"
wan = "{ em1 }"
enc0 = "{ enc0 }"
# User Aliases
set loginterface em1
set loginterface em0
set optimization normal
scrub all random-id fragment reassemble
nat-anchor "pftpx/*"
nat-anchor "natearly/*"
nat-anchor "natrules/*"
# FTP proxy
rdr-anchor "pftpx/*"
# Outbound NAT rules
nat on $wan from 10.30.1.0/24 port 500 to any port 500 -> (em1) port 500
nat on $wan from 10.30.1.0/24 port 5060 to any port 5060 -> (em1) port 5060
nat on $wan from 10.30.1.0/24 to any -> (em1)
#SSH Lockout Table
table <sshlockout> persist
# Load balancing anchor - slbd updates
rdr-anchor "slb"
# FTP Proxy/helper
table <vpns> { }
no rdr on em0 proto tcp from any to <vpns> port 21
rdr on em0 proto tcp from any to any port 21 -> 127.0.0.1 port 8021
# NAT Inbound Redirects
rdr on em1 proto udp from any to 216.139.33.155/32 port 5060:5080 ->
10.30.1.71 port 5060:*
rdr on em1 proto udp from any to 216.139.33.155/32 port 10001:20000 ->
10.30.1.71 port 10001:*
rdr on em1 proto tcp from any to 216.139.33.155/32 port { 80 } -> 10.30.1.71
# IMSpector rdr anchor
rdr-anchor "imspector"
# UPnPd rdr anchor
rdr-anchor "miniupnpd"
anchor "ftpsesame/*"
anchor "firewallrules"
# We use the mighty pf, we cannot be fooled.
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0
# snort2c
table <snort2c> persist
block quick from <snort2c> to any label "Block snort2c hosts"
block quick from any to <snort2c> label "Block snort2c hosts"
# loopback
anchor "loopback"
pass in quick on $loopback all label "pass loopback"
pass out quick on $loopback all label "pass loopback"
# package manager early specific hook
anchor "packageearly"
# carp
anchor "carp"
# permit wan interface to ping out (ping_hosts.sh)
pass quick proto icmp from 216.139.33.154 to any keep state
# NAT Reflection rules
# allow access to DHCP server on LAN
anchor "dhcpserverlan"
pass in quick on $lan proto udp from any port = 68 to 255.255.255.255 port
= 67 label "allow access to DHCP server on LAN"
pass in quick on $lan proto udp from any port = 68 to 10.30.1.1 port = 67
label "allow access to DHCP server on LAN"
pass out quick on $lan proto udp from 10.30.1.1 port = 67 to any port = 68
label "allow access to DHCP server on LAN"
block in log quick on $wan proto udp from any port = 67 to 10.30.1.0/24
port = 68 label "block dhcp client out wan"
pass in quick on $wan proto udp from any port = 67 to any port = 68 label
"allow dhcp client out wan"
# LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses)
antispoof for em0
anchor "spoofing"
# block anything from private networks on WAN interface
anchor "spoofing"
antispoof for $wan
block in log quick on $wan from 10.0.0.0/8 to any label "block private
networks from wan block 10/8"
block in log quick on $wan from 127.0.0.0/8 to any label "block private
networks from wan block 127/8"
block in log quick on $wan from 172.16.0.0/12 to any label "block private
networks from wan block 172.16/12"
block in log quick on $wan from 192.168.0.0/16 to any label "block private
networks from wan block 192.168/16"
# Support for allow limiting of TCP connections by establishment rate
anchor "limitingesr"
table <virusprot>
block in quick from <virusprot> to any label "virusprot overload table"
# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on $lan proto icmp keep state label "let out anything from
firewall host itself"
pass out quick on $wan proto icmp keep state label "let out anything from
firewall host itself"
pass out quick on em1 all keep state label "let out anything from firewall
host itself"
# pass traffic from firewall -> out
anchor "firewallout"
pass out quick on em1 all keep state label "let out anything from firewall
host itself"
pass out quick on em0 all keep state label "let out anything from firewall
host itself"
pass out quick on $enc0 keep state label "IPSEC internal host to host"
# make sure the user cannot lock himself out of the webGUI or SSH
anchor "anti-lockout"
pass in quick on em0 from any to 10.30.1.1 keep state label "anti-lockout
web rule"
# SSH lockout
block in log proto tcp from <sshlockout> to any port 22 label "sshlockout"
anchor "ftpproxy"
anchor "pftpx/*"
pass quick proto carp
pass quick proto pfsync
# User-defined aliases follow
# User-defined rules follow
pass in quick on $wan proto tcp from any to { 10.30.1.70 } port = 80 keep
state label "USER_RULE: NAT Interface for weather and
platypus-public"
pass in quick on $lan from 10.30.1.0/24 to any keep state label
"USER_RULE: Default LAN -> any"
pass in quick on $wan proto udp from any to { 10.30.1.71 } port 5059 ><
5081 keep state label "USER_RULE: NAT SIP"
pass in quick on $wan proto udp from any to { 10.30.1.71 } port 10000 ><
20001 keep state label "USER_RULE: NAT RTP"
pass in quick on $wan proto tcp from any to { 10.30.1.71 } port = 80 keep
state label "USER_RULE: NAT java.garlic.com - Trixbox
Server"
# VPN Rules
pass in quick on em0 inet proto tcp from any to $loopback port 8021 keep
state label "FTP PROXY: Allow traffic to localhost"
pass in quick on em0 inet proto tcp from any to $loopback port 21 keep
state label "FTP PROXY: Allow traffic to localhost"
pass in quick on em1 inet proto tcp from port 20 to (em1) port > 49000
flags S/SA keep state label "FTP PROXY: PASV mode data conn
ection"
# enable ftp-proxy
# IMSpector
anchor "imspector"
# uPnPd
anchor "miniupnpd"
#---------------------------------------------------------------------------
# default rules (just to be sure)
#---------------------------------------------------------------------------
block in log quick all label "Default block all just to be sure."
block out log quick all label "Default block all just to be sure."
###########################
### NAT from config.xml ###
###########################
<nat>
<ipsecpassthru>
<enable/>
</ipsecpassthru>
<rule>
<external-address>216.139.33.155</external-address>
<protocol>udp</protocol>
<external-port>5060-5080</external-port>
<target>10.30.1.71</target>
<local-port>5060</local-port>
<interface>wan</interface>
<descr>SIP</descr>
</rule>
<rule>
<external-address>216.139.33.155</external-address>
<protocol>udp</protocol>
<external-port>10001-20000</external-port>
<target>10.30.1.71</target>
<local-port>10001</local-port>
<interface>wan</interface>
<descr>RTP</descr>
</rule>
<rule>
<external-address>216.139.33.155</external-address>
<protocol>tcp</protocol>
<external-port>80</external-port>
<target>10.30.1.71</target>
<local-port>80</local-port>
<interface>wan</interface>
<descr>java.garlic.com - Trixbox Server</descr>
</rule>
</nat>
What else can I provide?
Thanks again!
- Patrick
> Can you send your rules.debug and NAT and rules config.xml portions from
> status.php?
>
>
> Patrick wrote:
>> Hi all,
>>
>> Fresh install of the latest pfsense, I initially set up some NAT port
>> forwarding, removed them, and tried to re-add them. Unfortunately the
>> 2nd time around none of my NAT forwarding works.
>>
>> I have even tried rebooting the machine as well, and the firewall rules
>> still wont work. I tried to forward a Virtual IP's http and tftp ports
>> to a box internal to the pfsense firewall, but none of them are working.
>>
>> The only fix I have found is to reinstall pfsense, but that kinda
>> defeats the whole purpose. Is there something I'm not doing that is
>> preventing these from working? I make sure to hit apply changes in the
>> NAT area as well.
>>
>> If I can provide something else to help troubleshoot this, please let me
>> know.
>>
>> Thanks!
>>
>> - Patrick
>>
>
>
