I had to use AON too for SIP sucessful registering. Best Kostas

After days of working on this I found a guide I understood .. http://www.packtpub.com/article/pfsense-configuring-nat-firewall-rules they have a sample webserver setup using pfsense and exactlly what I was trying to do. Hope it helps someone. I had a lan address in the destination box, when it should have been "wan address" works perfect now. ** Solved **

Hi Brian, My apologies for resurrecting an old thread, but if you're still around I'm curious as to what you wound up using for a Session Border Controller. Thanks, Phil

its not helping. tryed to kill all active states then apply nat rules but i have the same problem. the truth is my box is not a fresh install, first i have the 2.0 version, then i started to upgrade to 2.1 beta versions, but then i rollback to the 2.0.1 stable. probably this is what cause this issue. i dont know

No problem dude - what I'm here for.  Common issue really, I would suggest you look to moving to bridge mode on the device from your isp, or get a new device that can be set as just true modem. Double nat is not a ideal setup, sure it can work - but it clearly is not ideal to be sure. Have fun with pfsense - your going to love it!

Looks like you have multiple issues. One you have several IP conflicts there from the "ARP moved" logs, switching between Ubiquiti and Apple MACs, between Ubiquiti and HTC MACs, and others. The increased CPU usage is just a symptom of some other problem is my guess. What do your traffic graphs look like at those times? Rebooting can temporarily clear up so many problems internal to your network that it's not necessarily indicative of a firewall problem. An IP conflict on your gateway IP would be cleared up by a reboot temporarily, amongst other possible issues. What a packet capture on the parent interface of the VLANs shows when it isn't working would be telling.

Upstream ARP cache. The IP won't move back until it's cleared or times out, which takes several hours by default on every router. 4 hours on Cisco, similar on others.

There is no gateway IP from the ISP with a routed subnet, your provider routes it to one of your existing IPs, so you don't waste IPs with an entirely unnecessary gateway IP, and you have more flexibility in how you can use the additional subnet.

Check Diagnostics>States for a better picture (or pfctl -ss). That's almost certainly a host infected with some kind of DDoS bot. Anything you allow to open massive numbers of new connections is going to have an impact on your firewall regardless of what it is. Limiting states per host, and as tight as possible of egress filtering, helps keep such things in check when they happen.

Do a search in these forums and find several good write ups on setting up bridges. I made it as short as I could … you could to the first subnet as a /30 but you would still need the second to be a /25 ... not that you could not make quite a few networks out of 159.1 - 128 ( the first /25 broken into multiple subnets and used for different things).

Well, this is because NAT reflection is off. Personally, I would use split DNS so that server 1 would get the internal address instead of the external and having to rely on the reflection. You want to make sure you are testing from out side to make sure any rules are working from WAN to LAN.

by default all ports would be open outbound, you prob need to setup a port forward.  What ports does your dreambox use?  I believe this can be changed. So you have 2 dreamboxes?  Why are you listing 2 different IPs? Once your sure what port you need to forward - then following http://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense%3F

Yes please start a new thread and be sure to include details.

I'd say set up you FTP server to go out only on one WAN (outbound rule), that should fix the problem. @hunters: Another thing is that i read a lot aroud about an FTP Helper to be enabled/disabled on the interfaces but i don't found anything on PFSense 2.0.1 about it. May be it have been removed or somethink like this. Can you give me any help about the issue? I think this is now here: System: Advanced: System Tunables : debug.pfftpproxy

Can you elaborate on your question? I am not sure what information you are looking for.

Awesome! Thanks for the info… Will ask them.... Thank you guys for everything!!! problem solved....

OK Feeling quite stupid! I have enabled NAT reflection and all seems to work, perhaps it always did for traffic arriving on the WAN!! Thanks for your help, Ernie

You can't effectively do what you're trying to do, because of the way pf works. NAT happens before filtering, so the 1:1 for port 80 and the port forward for 30123 look identical to the firewall rules, so they are both allowed. The correct thing to do in this case would be, as johnpoz said, to make the service bind to port 30123 and not rely on a NAT redirect. Either that, or ditch the 1:1 NAT and just use port forwards. Actually I take that back - there may be another way: Add a port forward for 80->80 like you have for 30123->80, but on the 80->80 rule, check "No RDR (NOT)".