A static source port will not help keep a session for an expired state alive. If this is an inside PBX to an outside SIP trunk provider, this problem is generally handled by reregistering with the SIP provider every 45 seconds or so.

^ yes this is much better way to do it.  This is how I access anything on my network.  I don't have any forwards other than to my ntp server that is member of the ntp pool.

relax.

stuff I've read before making that post. Hence the doubt.

thanks for the help.

Dhcp is used pretty much for any device.  But your pfsense should be providing dhcp, or some other device on your network.  Eitherway there would be no reason to have to create a rule for this in pfsense.  Since if you enable dhcp the rules are created for you automagically.  If your running it elsewhere on that network pfsense has nothing to do with dhcp.  It might be noise in your logs would be all.

No you don't need to dig into every little detail, but you do need to understand the operation of the device you want to put behind a natting firewall.  Or yeah your going to have issues..

"Panasonic phone system PDF is saying that it uses port 2427"

So did you forward that port, it was not in the list of the link you provided?  So either you forwarded and your working fine, or you didn't and its not actually needed since again you said your working fine.

Placing a box in dmz as per your walmart routers setup is BAD idea no matter how you look at..  And its not really a dmz with those devices, it just forwards all unsolicited traffic to that IP.  A dmz'd box would be firewalled off from the rest of your network, etc.

That little feature is great for those types of routers, since they are designed for your typical user that has not a clue.  So they give them a easy way to just forward everything to a box if they are not bright enough to figure out which ports they need.  Pfsense is not designed with these sorts of users in mind.  But you could do the same thing if you so desired.  Just forward all the ports to your box both tcp/udp and there you go same mode of operation as your walmart routers dmz host function.

Problem is provisionally solved:  we disabled IPv6 on WAN and LAN.  (WAN was set to DHCP6, and LAN was set to Track Interface.)

Since I was never able to get IPv6 working (Comcast Business Internet), this isn't a big loss for the moment.

I also like the idea of being able to toggle display of the automatic rules created, for example the dhcp rules that get enabled when you enable the dhcp server.  maybe it is confusing to some not seeing the default deny that is always there??  But I have never seen a firewall that was not default deny.  That is really a given that if there is no allow rule its denied.

But what I am sure of is that rule was not automatically created, the OP at some point created that rule.  Or allowed it to be created by some package like pfblocker and then removed the aliases that would of been included, etc. ??

The point of the default deny not having quick set does present some problems with a logic to parse the rules correctly for graphical display I guess.

Oops,
I just reread the previous posts. I see now the solution is with Virtual IPs. Implementing that now.

Thanks again for everyone's help!

:) i already felt that I have not understood correctly meaning of this package. 2 configurations because i do not want problems with possible reconfiguration of ftp clients.

That explains it exactly … Problem solved.

Oh, I feel like such a fool.  Turns out our internal DNS service (WINS as well) was not running (following a server restart on Tuesday), but we didn't notice until this morning after restarting a few other servers and they refused to let us log in after. I would guess either the firewall was trying to lookup the IP of the web server(s), getting no response and trying to be helpful, or the web server(s) were trying to do lookup(s), getting no response and giving up.

Many apologies John, please accept a karma for your troubles.

Resolved.

BGP connection: em0
LAN connection: em1
Announced WAN connection: em2 (Routed WAN block Class C)

The VIP assigned is WAN IP 62.55.55.1 (CARP) on interface em2.
The Outbound NAT interface should be the BGP interface em0.

NAT Translation address should select the VIP 62.55.55.1 (which is assigned on em2).

The NAT translation problem was caused by the NAT interface being assigned em2 which is the routed class C network.  Changing the NAT interface to the BGP interface em0 resolved the problem.

what does nat reflection have to do with redundancy?  So your saying your public fqdn points to different IP if site A becomes unavailable?  Your dns changes to point to site B?  If so that might be an actual use case that makes sense to use a public IP.

But since your users are going local anyway.  What is the likelyhood that their local site is down and you would want them to go to some remote site?  What if there internet is down and can not even resolve the public dns?  In the case where you use split your local users would still have access to the site your hosting local, etc.

Setup your local dns to direct to another site as well if it goes offline..  Not that hard to do with simple script to check, and change the record.

As to a firewall rule.. If your on the local segment you can put all the firewall rules you want into pfsense doesn't stop me from talking to the box that is on the same L2 as user..  What rules are you putting in place for wan are not taken into account on a nat reflection anyway.  Now if you put your httpd on segment different than your users local then sure you can firewall segment A from segment B and your still not doing nat reflection.

Your possible use of a fqdn that resolves public might be a possible valid use case, but without understanding the details prob not.  If users in site A can not get to site A because its down.. You more than likely have problem with site A that prob either of higher priority then site A service not being available to the public internet, or could also prevent them from getting to site B, etc.

If your failover detects that site A is down because can not get to it from public internet because public internet is down at site A, how do users know to go to this other site or even get there, or resolve this public IP in the first place?  So your saying the local site has the public IP already - if so how does it change to the failover site?

As to nat reflection trying it?  Why?  Its pointless, and to be honest an abomination to good networking.. Pfsense should just drop the support all together like they did with the ftp proxy/helper ;)

See the following:
https://forum.pfsense.org/index.php?topic=117744.0

Also you won't be able to mix IPv4 and 6 in the same Alias unfortunately.

What do you mean released back into the pool?

You can either 1:1 NAT inside to outside address or create a pool of outside addresses and let algorithms determine which outside address to use for outbound requests.

You can, however, tell outbound NAT to use the same outside address for connections from a particular host until there are no states left from that host.

Round Robin/Random with Sticky Address:
Selects an address at random, but maintains the same translation address for a given source address as long as states from the source host exist.

This explains it all:

https://portal.pfsense.org/docs/book/nat/outbound-nat.html

Also:

https://doc.pfsense.org/index.php/Outbound_NAT#Address_Pool_Options

Lots more options there. One of which might be a better fit since I can't really tell what you're asking.

Open up the resolver or forwarder whichever one your using, scroll to the bottom there you go host overrides..

Thank KOM

NAT ok, but i forgot active services on destination ip for NAT.  ;D

huh??  What are you trying to accomplish exactly and why??  You need a 1:1 for why?  Can you not just port forward?  Why does a client behind pfsense have vpn connection, why would you not run the vpn connection on pfsense and then you whole network could use it if you wanted or could just policy route for specific machines or specific dest/ports to use it, etc.

That is something you might want from a roadwarrior vpn into your own network.. Not for a vpn designed to hide your traffic from your isp/local network, the IP your coming from to the sites your going to, and circumvent geographic restrictions.

For what possible point would you need L2 connectivity to some vpn service??  Completely utterly broken!!!  Who/What would you be broadcasting for?