Can the datacenter provider assign a /30 for your WAN interface and route the /27 to it?  That'd be a lot cleaner. Otherwise: from the pfSense book (I hope it's okay to cut and paste small excerpts): Single IP subnet With a single public IP subnet, one of the public IPs will be on the upstream router, commonly belonging to your ISP, with one of the IPs assigned as the WAN IP on pfSense. The remaining IPs can be used with either NAT, bridging or a combination of the two. To use them with NAT, add Proxy ARP, IP alias or CARP Virtual IPs. To assign public IPs directly to hosts behind your firewall, you will need a dedicated interface for those hosts that is bridged to WAN. When used with bridging, the hosts with the public IPs directly assigned must use the same default gateway as the WAN of the firewall, the upstream ISP router. This will create difficulties if the hosts with public IPs need to initiate connections to hosts behind other interfaces of your firewall, since the ISP gateway will not route traffic for your internal subnets back to your firewall.

thanks for the answers. i'll choose the outbound NAT because i think the firewalls work should be done by the firewall ;) question: i made aliases for my static WAN IPs. do i need to tell pfSense somewhere that they belong to the WAN interface ??? the WAN interface has IP like x.y.z.98, the rest are 99-102 (97 is my gateway which is in the WAN interface configuration)

Yes, and it works at least for company machines name resolution for the road warriors. Best Kostas

I know what tcpdump is ;) and how to run it.. And again your saying its not there.. So lets clear up where your running it.. you have client – pfsense -- server where you telneting from client to server.. So which interface are you running tcpdump on?  the client side or the server side? You need to run it on the server side.. If your running on server side and you see packets go out to server.  And wireshark/tcpdump running on server shows it sending replies to that traffic but you don't see those reply packets on pfsense then 110% sure pfsense has NOTHING to do with your issue. All I can say is this takes all of 3 minutes to setup.. There is NO nat between local networks..  And its simple firewall rules to allow whatever traffic you want.  As I showed you when I changed my dmz segment to 172.15 I assure you that pfsense supports this setup so your doing something wrong in the config. Or you have something else wrong on your network. I would be happy to teamviewer in and take a look if you want. Back to the tcpdump -- if you run it on the server side and see the return traffic.  But don't see it on the client side of pfsense then yeah something is wrong with pfsense.  So which exact interface are you running the tcpdump on pfsense client or server labnet or homenet.. Where if can keep your networks straight homenet is the client side and your telnet server is on the labnet side.

Thanks, Phil, that was it. The rule was added to the bottom and an earlier rule blocked the traffic. Easy. Thanks for your help.

you may need to add a second phase 2 entry for your ipsec tunnel that enables routing to that subnet screenshots of your IPSEC configuration from the pfsense side?

solved it, by setting a default gateway in cisco switch to the pfsense box, thanks johnpoz for the help

Never mind. I found out how to do it with this video on YouTube using Virtual IP Alias' https://www.youtube.com/watch?v=zrBr0N0WrTY

Ok so what ports are you trying to use for http and this media port.. On the website they show using 8080 for the http and 888 for the media port. This would be the port I assume the rstp:// uses..  Have you forwarded this port as well for tcp and enabled nat reflection? What is not working do you not get the web page of the camera to login?  What is not working exactly.. And can you post up your nat rules and firewall rules.

I am wanting to open my nat on my xbox one, and I only have the one gaming console. I was looking through the forum and found how people have done this. I have tried port forwading with no luck!, I am now looking at the upnp as this is what seems to work for xbox one. one of the stages of this method was to change to outbound nat. previously my xbox360 had an open nat with automatic nat but I was under the assumption the xbone was different. cheers

Update: I found that if I change the IP address of the Virtual IP (IP Alias), one (and only one) machine in the appropriate access list will go out over that connection, but it is NATted to the IP address of the first Virtual IP. I also configured the two CableMODEMs exactly the same (with the exception of the IP addresses) and can get to both of them now.

Firewall > Aliases, add the IP addresses/networks of the provider. The in the WAN rules: pass TCP from (that alias) to (your mail server) port 25.

Since you are seeing packets leaving the WAN interface still with private LAN IPs, the firewall rules must be passing the traffic OK. Look in /tmp/rules.debug and see the rules that mention NAT. If you can't make sense of them yourself, then post them, along with a bit of detail on what IP address(es) are set on which interfaces.

You need to NAT anything with a destination that will not know how to reply to the source address. The usual cases are: a) Traffic with private source IP going out to the public internet. b) Traffic from "MyLittleLAN" to "BigCorporateLAN" when "BigCorporateLAN" has routers that don't have routes back to "MyLittleLAN". This typically happens when BigCorporateIT won't let LittleBranchOffice setup extra LANs for something, but LittleBranchOffice is going to do it anyway, and will thus just NAT into BigCorporateLAN. Port Forward is needed when the clients have no way to directly address the destination system, and thus need an intermediate place (the pfSense) that they can reach, and pfSense is able to reach the real destination system for them (or at least reach the next device in the chain that has another port forward… to eventually get there). I guess in a way they are used in the opposite situations: NAT when the source can reach the destination, but the destination cannot get directly back to the source. Port Forward when the source cannot reach the destination, but the destination can get directly back to the source.

well I show that resolving ;; QUESTION SECTION: ;vpl.si.                                IN      A ;; ANSWER SECTION: vpl.si.                3600    IN      A      193.77.54.181 And show it serving up html wget vpl.si --2014-01-06 09:27:03--  http://vpl.si/ Resolving vpl.si (vpl.si)... 193.77.54.181 Connecting to vpl.si (vpl.si)|193.77.54.181|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 3023 (3.0K) [text/html] Saving to: ‘index.html’ 100%[======================================>] 3,023      --.-K/s  in 0.02s 2014-01-06 09:27:03 (175 KB/s) - ‘index.html’ saved [3023/3023] cat index.html <title>VPL - metalizacija, zlatenje, srebrenje, lakiranje, brizganje plastike in orodjarstvo</title> So seems to be working to me - as stated if your trying to access your public IP from the lan side then you need to make sure nat reflection is enabled.

Thank you very much! Your answer was very helpful. Now I begin to understand what was going on in my network and was really starting to drive me crazy. The firewall rule with the option "sloppy state" (a) didn't help but the manual NAT rule (b) seems to have solved the problem. Now I can transfer files without any issues.  :)  That all traffic now seems to come from one IP is no problem for me. You just made my day! Maybe your proposal "c" would be even better but my router is an Alix box with three build in NICs (which are already in use for WAN, LAN and DMZ) and no expansion slots. So I will have to stay with the NAT solution. Many thanks again!