Well, thanks to #pfsense I have this working now. Adding this for others and mainly myself, so I can re-do this at a later point :)

First I created a static dhcp lease for the machine that I wanted to use a certain WAN interface:
(if you run into trouble with the machine not using the static lease ip, make sure all other dynamic leases for the machine are removed, I had to do that and restart networking for this ubuntu machine for the static lease to go into effect)

Also I selected " Register DHCP static mappings in the DNS Resolver" under Services->DNS Resolvers so I can address this machine with "ubuntu" or "ubuntu.bindibox.net" (my local domain name)

In Hyper-V, I have created a Virtual Switch attached to my physical WAN connection:

and pfSense uses this for WAN aswell.

I shut down the pfSense VM, and gave it more network adapters in the VM settings:

and attached all of them to the vswitch that I mentioned above:

then under Interfaces->Assign in pfSense, I assigned the newly attached WAN interfaces and named them like so (i plan to name them wanubuntu, wanmumble, wanplexmediaserver so its more easier to understand which interface i want to use for which virtual machine):

Then under Firewall->Rules, under LAN tab I created a new rule:

and put it above the other rules by selecting the other rules and pressing "move other rules to the end":

You might want to remove gateway monitoring for all but one of them, under System->Routing by editing the gateways listed in there, for this very technical reason:

< monitus> apinger being a pile of poop and not working correctly with multi wan

Voila, it works!

First wget is before applying the previous rule we created, second wget is after the rule is applied:

Take a look at outbound NAT:
https://doc.pfsense.org/index.php/Outbound_NAT

Just wanted to reply on this thread, the issue has been solved.

So this is what I did:
I disabled the DNS Resolver and enabled the DNS Forwarder

In System < Admin < NAT

Set "NAT Reflection mode for port forwards" to NAT + Proxy Checked "Enables the automatic creation of additional NAT redirect rules for access to 1:1 mappings of your external IP addresses from within your internal networks"

Now everything is working like before, thanks for all the help.

Modem -> Router/Access Point -> pfSense

Internet –- Modem --- pfSense --- Switch --- WLAN AP
Internet --- Modem --- pfSense --- WLAN AP
Internet --- Modem --- pfSense --- Switch --- WiFi Router in AP mode

Would this work?

For sure this will also work but then with more or less reaching the goal.
Pending on the devices and firmware offered functions and options.

What would be the downsides?

Double NAT or so called router cascade and the termination of the VPN clients from outside.
The offered speed from the router.

Because at this moment in time I can't connect my pfSense to my Modem directly due to the adapter not working.

Its mostly or often based on a miss match of thee auto speed connection from the modem.
Go and buy a cheap NIC from Intel and be happy.

The older pfBlocker version is a separate package then pfBlockerNG. The older version is also not available for pfSense +2.2

Here is a script to flush the old pfBlocker remnants from the config.

https://forum.pfsense.org/index.php?topic=88443.msg491279#msg491279

There is nothing special you have to do with nat for that to work..  So I just connected to chatrandom - and while yes thee are lot of black screens.. Some do work - most of them were people playing with themselves, wtf world do you we live in where you want random people to see you playing with your dick???

But for example here was normal screen that came up..  I had no desire to chat with anyone or anyone to see me this early in the morning so mine was just pointed at the wall.

There should be no reason you have to do anything special for those types of services to work in pfsense.  I could test your other sites as well, but I have seen enough penises for one morning!!

chatrandom.png
chatrandom.png_thumb

@jimp:

I saw those but it didn't make much sense in the context given so I assumed it wasn't relevant. Seemed like it might have been more likely to be a typo or a miscommunication than that.

That's my guess as well.

That applies to ingress traffic on WAN, not egress. No relation to whether or not you can check for updates. Usually that's because you're missing DNS or a default gateway, or otherwise can't get out to the Internet from the host itself. If static IP WAN, you have to configure DNS servers under System>General Setup.

@johnpoz:

What packet capture?  I don't see any packet capture..

This really takes like 30 seconds to troubleshoot…  Capture on your wan do you see?  Capture on your lan do you see it going to your client, if no answer from client than clients not listening, you have wrong client or client firewall..

Common issues, client firewall.  Traffic never getting to pfsense to forward in the first place.  Wrong Port, Wrong Client.. All of which is clearly listed in the troubleshooting doc.

Windows can do netstat just like linux..  Validate the box your forwarding to is actually listening on that port, validate with simple netstat, connect to it from a local client, etc.

I haven't uploaded the packet capture to the forum yet but will do.

What does this do/mean?

It's talking about an associated firewall rule to go along with the NAT rule.  You need both.  The NAT rule does the mapping ad the firewall rule allows the traffic.

Dude this really is click click!!  Run through the troubleshooter if your having issues - it covers pretty much every single scenario that there is issues.

Really is 30 seconds..  Have something listening..  My ubuntu vm is listening on ssh on 192.168.1.7

I create a foward, let it create your firewall rule - go to canyouseeme, unless your testing udp that you can not check like that.. Create your forward with tcp first to something listening, rdp, ssh, ftp, http, anything!!  On your box running the service do a netstat, do you see it listening (netstat works both linux and windows

portforwards.png
portforwards.png_thumb

@Krellan:

I'll just have to repeat that edit for all of the 1:1 NAT entries that I have.

Not really sure why exactly is that needed. Why should everyone have access to your modem? How often are you accessing it? Once a year?

No other than maybe turning off block private IPs on your wan, if your going to have devices on your wan forwarded into your lan..

That sure looks like it should work.  I rarely have IP addresses to play with and don't do much 1:1.  I trust a 1:1 entry will take precedence over the regular outbound NAT rules.

I'm not sure about the choice of a Proxy ARP Type.  I'm using ifAlias (because it's a HA pair).  But it should work.

Are you sure you're not looking at an existing firewall state?  What does www.wimi.com in a browser show from the server after you add the 1:1?

The thread is marked as fixed.  What's the deal? You mean the physical router's LAN interface address, not gateway, right?

You're going to have to go through the basic troubleshooting steps and tell us what's actually not working.  "can't access the internet" could be anything.

https://doc.pfsense.org/index.php/Connectivity_Troubleshooting

Not currently, though logging NAT translations is something we hope to do over time.

Currently your best bet is to track connections with something like netflow (exported from softflowd to a central netflow server on your network) – from there you can drill down and locate connection information by ip/port/etc. The exact bits you can search depend on your netflow server.

@jimp:

Add ACLs to UPnP to limit the ports they can use.

This is the best answer regardless.

@jimp:

Also 2.2.5 snapshots have an updated version of miniupnpd which, I believe, has some sort of fix for this.

They added DNS rebinding protection to miniupnpd, which is in the version in 2.2.5 snapshots. That effectively prevents this from being an issue.

But every day the PBX looses connection to the sip-server or stun-servers and the customer can not do any phone calls nor could someone call the customer.

All 24h the German Telekom will cut the Internet connection to his customers, also the business customers!
Could this be the problem?

The SIP Server is at your ISP side and the STUN server is normally placed free in the Internet,
likes a server at a hoster.

The other way is the following, take a PBX appliance inside of the DMZ at the pfSense.