That sums it all up. John, I want to thank you for all your help. You were very patient with any of my questions, no matter how basic they were. I hope you keep on doing this great community work and helping people, new or not new, with pfSense. Without your assistance I wouldn't be able to get all those questions answered. So, yes again. Thank you very much!

My guess for this is that 1:1 NAT takes precedence over the outbound NAT Rules and passes all the traffic for this server out on 195.xxx.xxx.58. I changed this from a 1:1 NAT to port forward just ssh and it seems to be routing all traffic out of 195.xxx.xxx.61.

Just thought I'd update this as I've found a solution that works for me.  The key seems to be enabling a few DNS forwarder options as follows: [image: 2014-01-03%20at%201.59%20AM.png] Then (the piece I was missing before), add some additional forwards with the LAN IP as the destination, since this will be the result of the lookups: [image: 2014-01-03%20at%202.01%20AM.png] So, now I can use the same names when I'm local, using the DNS forwarding and local NAT forwards, as I do when I'm outside. Problem (apparently, for me anyway) solved!

@mudmanc4: While running heavy testing on hardware node behind pfsense , with a block of static IP's natted 1:1 to CT's, I noticed the network graph shows no usage. While the actual usage was pushing 580Mbps . This is normal / expected behavior ? Thanks, Rick Check the RRD graphs.  I've been have an intermittent issue on this as well with an IPSec tunnel. At times there will be only a trickle of traffic on the real-time graph but it shows as expected on RRD.

It turns out that I did have everything set up properly, but the server I was running was suffering an error in the background that I never noticed.  I have everything working now, although the port still says blocked I am able to connect to 10.0.0.15/25000.  Just need to have a friend connect from the outside to test.

To add further clarification… I'm not running a dynamic routing protocol between the pfsense nodes and the ISP routers.. I'm using a static route that points to the CARP VIP on the WAN segment.

Pure NAT mode scales much better than proxy mode by the nature of how they function. If you have a lot of reflected connections, don't use the old NAT+Proxy.

@johnpoz: What does your nat "reflection policy" have to do with the pointless act of double natting?  If pfsense is your WAN router, why is it behind a nat?  Why do you think you even need nat reflection.. Why do you think you need to access your services that are on your private lan via the pfsense wan IP?  Why?  Why not just use their actual local IP, or setup your name resolution to resolve whatever fqdn you want to resolve to point to the local IP you want to access when you use that FQDN..  Nat reflection has nothing to do with the actual port forward You can make double nat work, but its rarely a good idea and even more rare required. What is there to learn in NAT..  Your taking a IP and port on wan, and sending it to different IP and quite often same port, but sometimes different port.  The gui is designed to click through in about 3 seconds and your done.  Only reason yours isn't working is you changed shit that didn't need to be changed. If I click to add a new NAT it defaults to the wan address - why did you change that?  Here you want a super ultimate nat guide..  See attached.  Those are normally the only parts of that nat gui you need to touch..  You might need to change tcp to udp, Or maybe you need tcp/udp, etc.  But quite often its just going to be tcp. Then you put in your port number, your IP and port number again.  It really should take you all of 5 seconds to create a port forward. What part of this does not click??  And I will be happy to explain it.  Its not rocket science.. Just tried this today from an external network after redoing my NAT rules. I guess thinking about your questions taught me some lessons about what I'm doing. It was appearing as closed because I was trying from the same network and I did double NAT because of a pfSense youtube tutorial :) Live and learn, anyway thanks bud

And who says he is not natting? I bet you all the presents santa is bringing that he is NATTING.  Users just love their double nats ;) By default pfsense NATS, so I find it unlikely he disabled this and setup routing on this router in front of pfsense and didn't bother to mention that in his post? Sure you can double nat.. Just make sure you forward the ports you want, and make sure disable the block rfc1918 rules.  And you will have to use the pfsense wan IP to get to the boxes behind pfsense. If you are not natting.. Then you need to setup the routing correctly on your other router, or need to setup host routing on your 192.168.3.3 box if you expect to get to 192.168.1.anything through pfsense wan IP and also allow for the traffic you want to allow in your firewall tabs on pfsense. You will also as mentioned need to make sure the firewall if one on your box behind pfsense allows the traffic from network that is not local to it.

@eshield: Well, you can bridge WAN and LAN … so you'll be able to assign routed IP to any intranet pc. Never tried this myself but I think it should work. There is a possibility that you'll lose some functionality but I'm not sure. Thanks shields, not sure if I want to try something like this though. Keeping all ports and traffic separate is key here, as each IP points to a single container on one of various nodes. As it stand at the moment port holes are punched defined to a specific VM / node. I just always look to insure not only usability / connectivity is there, but security and proper formation. As at some point soon I'll need to add a switch and separate with vlans, which attempting to bind such interfaces would be something not in my realm of sanity. Thanks, Rick

The details are too vague to answer accurately. Are those two IPs really in the same subnet? Or is one an external IP and the other and internal IP? Is that subnet on WAN or LAN? What is the relationship between those two IPs and pfSense?

Ok, with that last bit of information I got to digging deeper, and discovered it was a secondary issue. pfSense can deal with my situation perfectly, however, I use namecheap and was updating a @ record. Based on http://forum.pfsense.org/index.php?topic=67013.0 it seems that handling of those type of records has changed. I removed @.example.net and just used example.net, and it worked perfectly.

because there are multiple malicious accesses.. Ok thank you, i'll try pfblocker

My bad - those were edits and must of missed them ;) about using squid – well its sorted so all water under the bridge now ;)

Yes… alias, i didn't think of that.. the IP i want to allow is not necessarily in sequence, they're like 10.0.1.5, 10.0.1.59, 10.0.1.151 and so on... So alias it is ... Thank you very much !

Yup vlans would be the solution here.. Do your switch(es) support vlans? Or why not just renumber or even just change the mask from 192.168.1.0/23 would mean you could use 192.168.0.1 to 192.168.1.254, you would not have to renumber anything just change their masks.  If they are dhcp this would auto happen. Or if you changed mask to /21 you could use 192.168.0.1 to 192.168.7.254 Do you have a lot of static IPs?  If your network is dhcp all that is required for a renumber is simple release and renew of the lease - or just simple reboot of everything.