Did you bother to read the text of the entry?

Horribly slow/aint worning from outside the pfsense… From inside/behind router... works perfect...

@javerleo: I will capture SSL traffic on OPT interface to be sure that data packets are allowed through pfsense into next router. And that there is answer back ;)

" But i have got additionally external static ip and will do 1:1 NAT for this purpose" How does 1:1 Nat solve your problem?  Other than just sending ALL unsolicited traffic to your ftp server - sounds like a REALLY bad idea to me ;)  This works for passive - but how would it work with active if your ftps client is sending private IPs because he is behind a NAT? If you want passive to work, no helper it is very simple.  You need your ftp server to hand out its public IP address..  See below example of this setting.  Along with using a specific port range that you forward to the ftp server. For active you just make sure that source port of 20 is allowed outbound to any port it wants. As to running both normal ftp and ftps – most ftp servers allow this, they are different ports and sure the server should be able to listen on both at the same time. [image: passiveftp.png] [image: passiveftp.png_thumb]

Thanks for your reply.  I forgot to mention that I have another interface on pfsense that has the IP of the gateway, but as you point out, it will never try to talk to it.  Even adding a static route on 172.16.c.d won't help if it still thinks it's local to that subnet. Is there anyway to do this then?  I really want to avoid re-addressing.

Does not matter where the port forwarded is added, its the route the box your forwarded too takes in answer.

No you can not forward to 2 different IPs from 1 public IP to the same port.

@gderf OMG thank you so much, I've been struggling with this for weeks trying to get this to work correctly !

I am a volunteer working with INF in Nepal - buy a Christmas gift for someone from our catalog at http://secure.inf.org/gifts/usd/  :)

There you go. Ping uses icmp and dns uses udp. Glad you found it. Steve

You could try assigning an actual interface to the OpenVPN client - then it will become OPTn. Then you can put the manual outbound NAT rule/s specifically on this OPTn interface and it should then apply only to the OpenVPN client link, and not be mixed up with the Road Warrior server.

@jimp: It's been there a long time… mmh, seems I must put my glasses off. Yesterday and last time I haven't seen it when opening this page…  :-[ Thanks ;)

@johnpoz: there is really only a handful of protocols that use a specific source port..  Off the top of my head, ntp comes to mind.. quite often this can be clientip:123 –- serverIP:123, you sometimes see zone transfers in dns be setup so source port is also 53.  But I don't think that is default or standard. Really the only one of the top of my head were you see sameport -- sameport is ntp.  While normally with ntpdate command you will have client be a randomport to 123. In a ftp active connection, yes the server will come from a source of 20, but the client will tell it what port to connect to - normally something random above 1024, since users should not have the rights on the client box to listen on ports < than 1024 since those are privileged ports. So your working now? Yes!

I have two sets of IP, first one is just one pack of static and the second of is 5 pack of static. SO i set up using only my one pack.  my WAN IP as X.X.32.58 / 30 with gateway of X.X.32.57. works fine. i went to VIP, sent up IP Alias X.X.222.226 /29 now when i setup NAT1:1 everything works fine. i can set up IP ranges from 226-230…... Now going back to my original problem. for the the single IP the X.X.32.58. I changed the WAN to X.X.222.226 /29 with a gateway of X.X.222.225, works fine, I DELETE VIP. i got to 1:1 NAT setup X.X.225.228, works fine, X.X.225.229 works fine, X.X.225.230 works fine. but still when i do X.X.225.227, my computer loses access to the internet. local works, This is the problem i am having. why am i losing one STATIC IP? More INFO. Changed the WAN IP to  X.X.222.230 /29 with a gateway of X.X.222.225, now when i setup 1:1 NAT  X.X.225.226, X.X.225.227, X.X.225.229,  everything works fine... Does anyone think this is a BUG, when i setup WAN to be the first IP of the pack 226, i lose 227, but 228, 229,230 works. if i setup WAN to be 230, i can use 226,227,228,229. basically everything.

@johnpoz: Where did you come up with anti syn flood??  From the nonsense you tried to apply to the lo interface, I have a hard time believing you even know what a syn is to be honest ;) Do you have a link to this gameserver software that is in english?  That I could take a look at?  Like I stated I can not seem to find anything about XJSJ Now Do you have a chat messenger. For example skype or yahoo. So I can contact you for help