Yes, a diagram here would help a lot. It's not obvious to me what you're trying to achieve.

Steve

Finally got the NAT rules and portforwarding to work. Turns out that putting the internal private ip address in the destination address for the WAN interface was the correct way of doing things, while I'm still not exactly sure how/why this works. Long story short, 1+ hour with Comcast and my own modem, it turns out that whoever "provisioned" my modem for internet access did not setup anything but the default ports to be opened ie.53,80,443. Once i got to one of the higher ups, I got a new external IP address, and now all my portforwarding works. Problem solved.

Considering the configuration is non-trivial, perhaps it'd be better to post in your native language on the internation forums: https://forum.pfsense.org/index.php#c3

Or, if it's a company network, perhaps get paid support from ESF? https://www.pfsense.org/get-support/

So if you ping the FQDN of the mail server from an internal client, do you get a response back? And have you checked to see if the mail server is running any kind of firewall locally, or has some traffic filtering of it's own in place?

If you over-use static port, pf won't allow one to "steal" the other's connection, but will deny the new connection (can't create a conflicting state).

It would only be denied iff it tries to re-use the same static source port going to the same destination:

Connection #1:
a.a.a.a:xxxx NAT to b.b.b.b:xxxx destination c.c.c.c:yyyy

Connection #2 – Denied:
a.a.a.q:xxxx NAT to b.b.b.b:xxxx destination c.c.c.c:yyyy

Connection #3 -- OK:
a.a.a.q:xxxx NAT to b.b.b.b:xxxx destination d.d.d.d:zzzz

Limiting use of static port to things that require static port (e.g. a PBX) is the best way to avoid problems. Generally speaking, the only time someone would really hit scenario #3 above is if you have two local PBX units attempting to connect to the same remote PBX. In that case you'd need to NAT one of them out a different IP address (1:1 NAT or outbound NAT to a different IP address)

Dear Derelict,

Thanks for your advice, I will try it.

You still need two VLANs.

(which I believe would mean that they are send to my VPN server and back) but should be routed
directly to the destination address in the LAN.
Would not be running, because the VPN must be having on both ends a different LAN address!

192.168.1.0/24 –--VPN ----192.168.1.0/24 - will not be running 192.168.1.0/24 ----VPN ----172.xxx.xxx.xxx/24 - will be running

On the other hand packages that have a destination address outside of 192.168.1.x/24 should be
routed through the gateway and consequently through the VPN.
If the destination is on the other VPN end yes, if not no.

My whole reasoning behind this is that I really need GBit-Lan locally
Then we should be are talking about other things and perhaps other hardware also.
If the pfSense is doing all, what is very popular for many users, it slows down even a little bit
more how much more the pfsense have to do, for sure this is also by other vendors and systems
Let us see a MikroTik Router it deliveres full speed at first time and after SPI, NAT and 20 firewall
rules, VLANs and QoS it is delivering something around 25% of its full power, for sure not at all
models but at the most ones. And fore sure it would be also running with all other systems on
mother earth! So if you install some Layer3 Switch in your network and stack them instead of
only uplink them you would be at these days doing the best as you are able to do.

The whole and entire LAN traffic will be routed only be the Layer3 Switches and the pfSense
is now free of this work. This is often very speeding up many network constructions.
And if you bind your servers over 10 GBit/s to the Switches you will be getting out
of creating a so called bottleneck. Or plain LAG (LACP) them perhaps would also bringing
more throughput near by.

(VPN is only 100Mbit).
There fore you will be able to do also some things to speed up the throughput a lot.

The CPU has to do the most, so if you spend pfSense a really powerful CPU you
get the most of, and then perhaps also some more ECC RAM it would be the best
point to start speeding up the WAN throughput. Using Intel server network adapters
would bring you also more stability and gaining once more again the throughput a bit.

Inserting then perhaps a compression card on both ends of the VPN (not only at one side)
would be increasing the entire throughput once more again. Comtech AHA362PCIe is able
to buy over eBay for something around likes ~$30 - $60.

AES-NI at the CPU would be the best option today and a 4 Core Intel Xeon E3-12xxv3 at a
minimum of 3,0GHz would do the job.

For sure there are also other options out to insert but I am in Germany and the most
companies of those equipment are in the USA. So if you are a citizen of the USA you
could try starting around your search for a Exar DX1700 crypto accelerator that will
be speeding VPNs up mostly really wicked. If this card is supported.

@hunderri:

My PBX is not local. can i use the same configuration?

What do you mean by this? Are you saying your PBX is sited somewhere outisde your firewall/LAN?
@hunderri:

i configured the rules on Firewall: NAT: Port Forward but i dot see the icon pass or linked rule. what might be the problem?

No idea. Why don't you post a screenshot of your firewall and NAT rules? It might help.

For that matter, why not post a diagram of your network setup, including your firewall, your LAN and the PBX, specifically showing where the PBX is sited? Just saying "My firewall rules don't work" doesn't really help anyone to help you.

Why does it matter for your nat rules?  Why did you have to do anything on the nat rules?  Once you create a new interface the nat rules the new source IPs of your other segment would of auto been added to the rules for wan interface.

I have multiple lan side nics with some being physical and other being vlans on the physical interfaces - as you see I have multiple 192.168.x segments - and they are all included in the nat rule to my wan interface

natrules.png
natrules.png_thumb

Look in your states table..  For all the combinations of source and destination states under diag.  But the question is not what pfsense is using but more what a nat device in front of pfsense would be using if your in its dmz vs setting specific forwards to pfsense wan IP.  Double nat is not good..  But you say your not behind a double nat that pfsense has public ip on its wan.

If your pfsense has a public IP, you sure its public??  192.168.x.x, 10.x.x.x or 172.16-31 are private IPs..

So did you do step one.. Did you sniff on pfsense and validate you see the traffic your wanting to forward.. There is no reason to look further until you have validated you see the traffic on pfsense wan - because if your not seeing it there is nothing you can do it pfsense to make it show up ;)

simple packet capture on diag.. Go to can you see me .org and do a simple test to your port

example see attached.  Use that as test of your forward, but you need to sniff your traffic when the real traffic is suppose to be there.. If your using dyndns you sure they are using your correct public IP, etc.

sniffforport.png
sniffforport.png_thumb

Thanks for coming back and posting what you did to get past your problem.

There isn't a specific NAT log, just the firewall log.

What problem are you having?

It's automatic, the MAC of the CARP IP is determined by its VHID.

Unless your Xboxes have some sort of service that you want access to externally, port-forwarding doesn't come into play here.  Have you looked through the Gaming forum?  There seems to be a few articles that may apply to you, like this one.

Sounds like you don't have reflection enabled for 1:1?

Problem is fixed: My ISP had an issue on the routing on his site. This is the working setup

DSL line –> DSLmodem/router configured as bridge --> <pfsense>WAN interface configured as PPOE getting the 28.153/32--> VIP 28.154/29...128.155/29 and so on created on the localhost interface. NAT to forward the /29 IPs to the systems in the DMZ.
   </pfsense>