That solved the problem. Thank you!

Regards,
Krzysztof

Can you give us some details about your WAN setup and all WAN public IPs that you have (real interface IP and virtual IPs, type of WAN conection)?

For the different virual IP types:

CARP

Can be used by the firewall itself to run services or be forwarded Generates Layer2 traffic for the VIP Can be used fo clustering (master firewall and standby failover firewall) The VIP has to be in the same subnet like the real interfaces IP

ProxyARP

Can not be used by the firewal itself but can be forwarded Generates Layer2 traffic for the VIP The VIP can be in a different subnet than the real interfaces IP

Other

Can be used if the Provider routes your VIP to you anyway without needing Layer2 messages Can not be used by the firewall itself but can be forwarded The VIP can be in a different subnet than the real interfaces IP

Hope that helps a bit.

Other

Search the forum for "static port". You have to add an outbound nat rule for this and enable advanced outbound nat at firewall>nat, outbound.

http://www.firewall.cx/vlans-links.php for some vlan info as hoba said. I've just placed a ordered for a http://www.hp.com/rnd/products/switches/ProCurve_Switch_1800_Series/overview.htm

or if all the pc are located in the same room go with more lan nic's to save some money.

a diagram would be useful –-wan-----pfsense or use http://www.gliffy.com

thanks.  congrats!

after 1.0.1-SNAPSHOT-03-08-2007 snapshot update problem resolved.
(but, i think nat reflection problem exist, may be)

previous connection setup:
lan to dmz connections used nat real ip (real wan ip)
currently internal ip (opt ip)

example:

previous setup:  (my ordinary setup)
nat reflection enabled
nat: 212.x.y.93 -> 10.6.1.93 = port: 21 (used auto created rules)
lan clients connection 212.x.y.93 success, but 10.6.1.93 not succes
(wan to ftp server connection success)

current setup:
nat reflection enabled
nat: exactly
lan clients connection 10.6.1.93 success, but 212.x.y.93 not success
(wan to ftp server connection success)

if true, this is my new ordinary setup..

PF (the filter used by pfSense) scrambles ports for advanced security by default. Some VOIP-Providers don't like that. Have a look at the following links how to shut down this behaviour for your VOIP-Phone:

http://forum.pfsense.org/index.php/topic,104.msg5876.html#msg5876
http://forum.pfsense.org/index.php/topic,1047.msg12752.html#msg12752

There are other threads covering this too. Search for "static port" if you still have questions.

Glad you got it working finally  :)

Try unchecking "block private IPs" at interfaces>wan.

You only create the portforward at wan so lan will be untouched. However if you want to make the webgui available at wan later you probably should use another port for it (and of course use https for it).

Scrambling ports is done as an extra security mechanism.

This is currently not supported.

use the cnet adsl router as a bridge ? ..

I got a do not know, and its so hidden so i cant be cba to check it, but its set as bridge, so the pfsense get the wan adress directly. :)

82.xxx.xxx.68                  82.xxx.xxx.68                192.168.1.0/24
Adsl modem/router –--->  Pfsense  -------> Smc DT1024Ez------------> Wlan router as bridge
                                          |                          24 Port switch-------> all other interfaces/comps/eq such as printers,computers, etc.
                                          |---------------|
                                        DMZ                  |
                                      192.168.0.0/24      |--------Restricted User lan 192.168.1.0/24 with stronger rules than my normal lan
                                      Cisco 800S                        Dlink managed 16 Port
                                      4Port                                |
                                      |                                    |
                                      Windows server 2003---------

Okey, i know u wont have to have so damn advanced, but here can ya see some bridging rules, im gonna change the 192.168.1.0/24 restricted user lan adress and rules though.

Well, use bridging, its kinda fun ;D instead of having vlan and such damn annoying extra things that can cause extra issues with applications or port forwarding..

Then your provider either uses a proxy to fix it at their end or uses IAX which is NATfriendly.

I experience the same issue with 1:1 NAT, regardless of whatever I try under pfsense 1.01.  Any ideas how I might go about troubleshooting this issue?

Thanks for favourable reply

Dropping the PIX setup is not an option. The PIX are already in a dual failover configuration, the support is paid up for this year, and migration and verification of the thousands of rules on the PIX to pfSense would take more time than I am willing to commit at this point.

Is what I am trying to do with pfSense doable with the current version? If it works, it would be a great intermediate step.

Thanks,

Sean Harbour
sharbour@nwresd.k12.or.us