Not sure where you read anything about nats and second lan interface – I think you read it wrong.  Yes if you were using manual nats you would need to add a nat for that segment to use the internet.  Why would you be using manual nats?  Just leave it on auto. When you setup a new nic it has no default rules like when you first setup pfsense on the lan.  So you need to create your firewall rules for that nic.. Example - I run my wlan on is own segment as well 192.168.2.0/24 So you see my .230 (ipad) can do anything wants internet, lan, dmz.. I allow wlan clients to talk to my printer on 192.168.1.50, could prob lock this rule down a bit more - but its a printer.. Who cares if they can talk to it on more than just the printer port.. Its not listening on them anyway ;) I allow wlan clients to talk to my ntp server on 192.168.1.40 The the last rules says hey you can talk to anything you want as long as its not (!lan) the lan segment.  So that means it can talk to dmz and internet on anything. So what are you firewall rules you setup for your new wlan segment? [image: wlanrules.png] [image: wlanrules.png_thumb]

Ehmmm, I have a similar problem on nat 1:1 My dmz mail server seems to get nated outside but not inside Take a look to these packet captures of an connection attempt to google: ON DSL interface: 16:42:21.236894 IP XX.YY.ZZZ.245.1634 > 173.194.35.23.80: tcp 0 16:42:21.267025 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1634: tcp 0 16:42:21.487296 IP XX.YY.ZZZ.245.1635 > 173.194.35.23.80: tcp 0 16:42:21.517592 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1635: tcp 0 16:42:21.588509 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1634: tcp 0 16:42:21.828523 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1635: tcp 0 16:42:22.188522 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1634: tcp 0 16:42:22.428460 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1635: tcp 0 16:42:23.388629 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1634: tcp 0 16:42:23.628438 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1635: tcp 0 16:42:24.213257 IP XX.YY.ZZZ.245.1634 > 173.194.35.23.80: tcp 0 16:42:24.242951 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1634: tcp 0 16:42:24.414444 IP XX.YY.ZZZ.245.1635 > 173.194.35.23.80: tcp 0 16:42:24.443562 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1635: tcp 0 16:42:25.790529 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1634: tcp 0 16:42:26.028500 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1635: tcp 0 16:42:29.884252 IP XX.YY.ZZZ.245.1636 > 173.194.35.23.80: tcp 0 16:42:29.914162 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1636: tcp 0 ON DMZ interface 16:43:24.180029 IP 10.6.107.2.1645 > 173.194.35.23.80: tcp 0 16:43:24.265809 IP 10.6.107.2.1646 > 173.194.35.23.80: tcp 0 16:43:24.430940 IP 10.6.107.2.1647 > 173.194.35.23.80: tcp 0 16:43:24.475723 IP 10.6.107.2.1648 > 173.194.35.23.80: tcp 0 16:43:24.518007 IP 10.6.107.2.1649 > 173.194.35.23.80: tcp 0 16:43:27.180431 IP 10.6.107.2.1645 > 173.194.35.23.80: tcp 0 16:43:27.281005 IP 10.6.107.2.1646 > 173.194.35.23.80: tcp 0 16:43:27.381596 IP 10.6.107.2.1647 > 173.194.35.23.80: tcp 0 16:43:27.482185 IP 10.6.107.2.1648 > 173.194.35.23.80: tcp 0 16:43:27.482214 IP 10.6.107.2.1649 > 173.194.35.23.80: tcp 0 10.6.107.2 is Mailserver IP in DMZ XX.YY.ZZZ.245 is virtual public IP (nated) on DSL interface 173.194.35.23 is google

I was doing a little research and got to know that this type of redirecting within the same LAN is not possible yet with pfsense.

I just got it working after spending all last night and this morning doing trial and error testing. I am using private internet access and wanted to get plex working. I had to create an aliases for my.plex.com and then tell the lan rules to take everything to vpn unless plex. I was trying to use the plex port but that was not getting me anywhere so I just started trying the my.plex.com alias.

Also make sure that the Windows firewall is set to allow incoming RDP from any address, sometimes it is configured to allow incoming traffic only from the same subnet. +1 to the VPN anyway…

You are right on your last post. The outbound NAT rules do not force traffic to go through a gateway, you would need to specify it on the firewall rules ;)

@johnpoz: So when you say you opened up 30016 for the lan interface?  Why would you do this, when by default all ports outbound are allowed by default. 2nd so all these peers your trying to talk to - they also run their p2p client on 30016?  If not why would you think you need to open this port.  Since anyone is free to run their p2p client on any port they want, and many have it just random.  When you wan to talk to him and say - hey do you have part X of torrent Y? If you have locked down your lan rules to only allow specific ports outbound, this would explain your issue with p2p. Thanks John.

No, 1:1 NAT handled outbound NAT as a part of the 1:1 NAT entry. It has no relation to automatic outbound NAT.

Alright, I figured it out after some experimentation. Here's what it took to get this working (in case anyone has a multi-network scenario like I do that Dansguardian doesn't want to play nice with). 1. Add a loopback gateway for the interface: [image: Jk1riVa.png] 2. Add an inbound NAT rule [image: LOqwSsC.png] 3. Add an outbound NAT rule [image: J8P9ZOE.png] 4. Add a floating outgoing firewall rule on the interface with your loopback gateway [image: mU0yTiK.png] [image: 53LRnh7.png] It's a roundabout way to do things, but it works! I'm not sure that the outbound NAT is necessary, but have left it in just in case. I'll do some experimentation on it tonight.

@podilarius: Have you searched for that, there is lots on the forums and net on how to forward say 5066 to port 5060. The hint is: Src: any sport: any dst: <localip>dport: 5060 For the firewall rule. For the NAT is something like: dst: <wan or="" external="" ip="" alias="">dport: 5066 redirect: <internal ip="">redirect port: 5060 You need nine NAT rules (one for each port) and one FW rule (the one for port 5060).</internal></wan></localip> That's why I'm new :) I was doing a 1:1 nat and I was adding manually the associated rule. I wasn't using the Port Forwarding menu, which happen to add the rule by default. Thanks!

Yup, some have even used the lo0 interface to add aliases to in this king of situation. This way you don't have live IPs as aliases on you LAN. How ever, everything on the LAN would use private IPs with LAN as the gateway. You could then use 1:1 or port forward if you like.

This makes them a good web knowledge is very useful for the knowledge I got from your site as well.

Thanks.  It ended up being a configuration error.    I had a gateway defined on the lan interface.  I removed the gateway and added a static route for the lan subnets and everything starting working properly.

yes the port 66000 isnt the one that in want to use, just took an example:) no i just thought it would be nice to be able to access the router from the outside, i Think that i should reconsider to portforward my router. thank you for explaining.

Its named NAT 1-1. Why would you like to nat all ports to your internal ip? Is safer to nat only the ports that you need. If not, why having a firewall if you are going to allow anything from external networks to pass to your internal device? mmm maybe you want a DMZ. That will force you to have a local firewall on the device your internal IP is.