You can assign interfaces of that pptp connection. but that could be problematic if you have lot of clients enabled

@GruensFroeschli: No round robin included ;) It does forward the ports correctly. However what doesn't work is if you want to forward ports with aliases if the internal port differs from the external port (eg. you want to forward port "25, 93 and 110" to "10025, 10093 and 10110") Great, that just saved me having to create 7 different rules, instead of just 1 (I forgot to also add 80 and 443 for the webmail component).  Thanks again!

Let us know how it went. going to spend some offline time(it's midnight over here)

@jswright61: So the cable goes from OPT1 to Wan (Internet) port on the AEBS? The OPT1 interface gets a private IP? Any firewall rules needed. I apologize for lack of knowledge here. I am hoping for step by step instructions. thanks Scott I'm not familiar with the AEBS, so I can't give you instructions for it.  And now that I think about it, you might have to use the WAN port and deal with double NAT, as I'm not sure how it handles the guest network part.

Lead me up and let me down, thanks! :) Anyone else got any ideas?

@Metu69salemi: i don't use nat-reflection myself so it's unknown field(i'm using split-dns) can you provide screenshot of your portforward rules Here it is, Sir [image: Clipboard24.jpg] [image: Clipboard24.jpg_thumb]

I finally found out what the issue was. We were having some IP address conflicts and so the port request wasn't even reaching the firewall.

If you want to change anything at all with outbound NAT, you must use Manual Outbound NAT. There is no way to change any settings like that otherwise.

When you created the NAT rules, what interface did you choose there?

There are proxy packages that can do this, I believe the mod_security package is one of them, but I'm not sure if it's currently working or not.

Or there is someone that could suggest me on how to solve this problem?…:)

I'm currently using 2.0rc3. So this advice is "tailored" for 2.0 try to convert it to 1.2.3 if needed any adjusting. 1. Create port alias add there these ports: 5060, 5190, 5220, 5222, 5223, 5297, 5298, 5353, 5678, 16384-16403(awful lot of ports at my point of view) 2. Create a rule on wan pass tcp/udp source any source port any destination wan-address(or use portforwards to get interenal addresses) destination port your newly created alias gateway any logging none 3. Apply changes and try

@Nachtfalke: Port 5061 is used for encrypted (TLS) VoIP traffic. This means that TCP is used. So changing the timeout of UDP will not help. In some cases VoIP can use DTLS (UDP) encrypted traffic. Im using port 5061 for security reasoon, im using the same technic as usual port 5061, udp yes. My firwall is blockling alot of traffic on 5060 that shouldnt be there, mostly ip's from china.

Does anyone have any input.

More likely feature than bug. pfsense seems to be capable lot of different functions and thusfore it might be tricky to setup

@Cry: The problem you're facing is called NAT Reflection and if you search the forum you'll find more about how to deal with it. Wow, just one check box, thanks :) That's exactly what I wanted to do.

@jimp: Actually NAT+IPsec is still not possible even on 2.0. If you have overlapping subnets and you are forced to use IPsec, you'll need to setup a second box to translate through, like so: Main Firewall, IPsec tunnel between "fixed" subnet and remote site, LAN interface as usual, second internal interface on the "fixed" subnet. Second "VPN" firewall sitting on the "fixed" subnet on its "WAN" connected to the main firewall. LAN subnet is the same as the LAN side of the main firewall, but a different IP. This box's job is just to translate between subnets. Main firewall gets a static route that points traffic headed for the remote subnet to the VPN router instead, which should make the NAT happen, and then when the NAT goes out via the main firewall it's on the right subnet, will match the IPsec SPD, and go over the tunnel as you like. That method should work on 1.2.3 or 2.0. Maybe this post will give some tips about implements it in one box http://fixunix.com/bsd/87865-nat-ipsec-openbsd-pf-isakmpd.html

Can you tell what you want to do with pfsense? If only firewall normal internet trafic, then you don't have to handle outbound nat etc

Thank will I try.. :-)