@KOM:

A port forward.  Post your NAT and sanitized WAN rules if you're having problems.

Thanks again KOM. Took a bit of trial and error, but I got the Virtual IP created for the public IP, created the Port Forward NAT, and WAN Firewall rule. I also had to modify the default 0.0.0.0 route on the netscaler to point to the pfSense FW instead of TMG. I was able to test from my Azure Windows 10 client and Citrix XEN services all worked like a charm!

-SK

Then you probably have some other rule performing that NAT to 10.10.100.11 instead.

Post screenshots of your port forwards, your 1:1s, and your rules.

Or:

Diagnostics > Command Prompt

cat /tmp/rules.debug

Send that output to me in a PM.

I ran into this same issue after upgrading from 2.1 to 2.3.2 as well. Here's how I resolved it (I used the information from your example);

(NOTE: Replace "pfsense.local" in the links below with the IP Address of your pfSense Installation.)

First, you want to create a Firewall IP Alias (https://pfsense.local/firewall_aliases_edit.php?tab=ip) with the Source IP's you want to allow access from.

Next you want to create your Firewall NAT Port Forward (https://pfsense.local/firewall_nat_edit.php) using the "Single host or alias" option for the Source, and then input the name of the Alias you previously created (pfSense will show you what it has saved once you start typing the name).

NOTE: You will want to delete any Firewall NAT Port Forwards that are currently using the same Port and Destination IP's you are going to use.

Continue to setup the Firewall NAT Port Forward as normal.

Done.  8)

Keyword Search Information:
pfSense NAT "the destination port range overlaps with an existing entry"
pfSense NAT multiple source addresses to single destination port
pfSense NAT multiple source IP to single host

pfSense_-_Firewall__NAT__Port_Forward__Edit.png_thumb
pfSense_-_Firewall__NAT__Port_Forward__Edit.png
pfSense_-_Firewall__Aliases__Edit.png_thumb
pfSense_-_Firewall__Aliases__Edit.png

When you are dealing with overload NAPT you need to have enough IP addresses so you can handle every WAN_IP:PORT+DEST_IP:PORT combination. That increases the number of states a particular WAN_IP can serve dramatically beyond 65535.

Thanks for the tip! I was trying to find an easy way to verify that my virtual IP was actually working. It's not.
I will call my ISP and see if they can help me out.

Thank you both for your time.

"I wish I had a dollar for every person who thought they found a bug in pfSense but it was really a misconfiguration."

hehe - if that could only go to help fund pfsense ;)

Do you have additional packets installed like Snort, Suricata or pfBlockerNG?
If so, deactivate it for troubleshooting.

lolz.. i feel like a f***cking idiot..im sorry i had dyslexia i messed up on the NAT i put 192.168.1.6  instead of 192.168.1.210..

Thank you again..

Correct. You should be fine if the IP for the Cisco is not used on the pfSense box.

thanks guys i set up vpn its better all is well you guys saved my Job im in yout debt

1. How to configure NAT

https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense

https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

2. How to access forwarded port: 172.10.10.11:2222 or 172.10.10.10:2222

Via your WAN IP:2222

Thanks, will try another browser.

EDIT: Same issue in Opera and Chrome, but worked in Firefox, thanks.

Is this happening to anyone else?

Not that I am aware of.

any ideas?

You've given us nothing in the way of details.  I'm not even clear if you're talking about people incoming getting the wrong server from your network, or your LAN clients going to some external website and getting something else.  List the packages you're using.  Explain exactly what's happening and not just a vague, abstracted description.

If someone remote must access the SQL server, make them use a VPN to do it.

Never expose any database directly to the world.

You have setup NAT for everything you need, but L2TP+IPsec is known to have problem in general (not related to pfSense) when the server is behind NAT.

Use something more modern and less problematic, such as IKEv2, or if you need the server to be Windows, SSTP might be able to work as well, though it can also have NAT issues.

Hello my friend I'm Sorry if I'm Bothering you , but I'm new with the GnuGk and with Pfsense thats why I'm  facing  problems in order to make the call establishment between two end devices one is behind LAN network and the other behind the WAN  network.

Sorry maybe I didn't understand what is your network and how you did configured it , did you register your device  with your GnuGk installed in the pfsense or you Register it in another place, I believe that to establish a call between 2 end devices they must be registered with the same Gatekeeper so that the Gatekeeper will route make the call establishment between the 2 users since it will know the IP and ext. number  for both end devices.

Actually I have some questions beyond your suggested solution and I found that  your solution does make sense , so I need your help and I need to benefit from your experience if there is no problem :)

1-where did you Register your devices , if you have 2 devices one behind the firewall and the other is outside your network and they want to call each other , do they need to be registered with the GnuGk ?

2-what is the benefit of installing GnuGk in the pfsense

3-Can you show me your GnuGk configuration file because I think I missing something

4- You said in your report that If someone phoned from an external device to your device, dialing must be: your IP##ext number such as 8.8.8.8##5693 where I should configure this option so that I can Dial using this syntax.

Thank you for your appreciative efforts :)

Ohh, of course, it would be in connection with the tunnel rather than NAT.  :-[ Thanks! Appreciate it. :D