Trigger port forwarding is not really what you stated.. What you stated was sending to more than 1 pc behind your router unsolicited traffic at the same time. That is not what port trigger is, a trigger would allow you to take turns.. It can be used for allowing ports inbound when box is talking outbound on different ports or to different dst, etc.  But it does not allow that traffic at the same time. I don't believe there is anything in the gui for this, but I do believe you can do it with anchors and creating rules for pf directly.  I personally have never came across a need for port triggering in my time in IT, 25+ years. I think there was some bounties for adding this to the gui, but I don't think it ever went any where.

Install squidguard ,create group based rules on it and then use this script on cron to update every x minutes(for example) your squidguard group user list. https://github.com/ccesario/public/blob/master/squiguard_ldap.php att, Marcello Coutinho

@kelsen: I think I don't understand. Do you have a gateway configured on outbound interface you want to translate addresses?

Are you actually testing this from outside your network and getting that result?

Resolved, your instructions were correct. It turned out to be that the server in question did not have the correct gateway assigned. Thanks for your help!

@fannet: We are seeing crazy high latency (25-45MS) pinging from our PFSENSE gateway to any other host (and vice versa) on the same layer-2 domain (same switch). The machine has 16 cores (AMD) 32 GB ram and a dual 10gb NIC. The total traffic going through the NIC is less than 1 gigabit/s. We have NAT enabled and have about 1500 users going through the box. Between any other two hosts on the same switch the ping is < 0.9ms Any suggestions? Did your particular hardware configuration ever work well in the past ?

Thanks - yeah that looks to be using MLdonkey as a multi protocol sharing server, web/ftp, bittorrent, emule, etc.  The turnkey docs/tutorial for that appliance are a bit lacking from just a 2 second look.  And yeah they do say to forward that range - why I am not sure.  Clearly from the mldonkey site, and even from their example on the turnkey site they show the portcheck script used 6882 so why would they say forward that range? http://mldonkey.sourceforge.net/WhatFirewallPortsToOpen#Incoming_connections BitTorrent client_port = 6882 bittorrent.ini

I finally resolved this issue. It requires that nat reflection for port forwards check box be un-checked in the Advandaced settings on the Firewall tab. Then I had to delete the already made rules for 80 and 443. Then when creating the new rules I had to make sure that Nat Reflection was set to Enable for each Nat rule.

Just to update this. Turned out to be an unstable STUN server that we were using. We just used a different from from VOIP info. The 3cx one is very unstable. As well as just doing a rule from the three IPs from our sip provider helped a lot too.

@fellesnelle: I’ve tried it several times without any succes. But know I did it again and it works. I’ve forgot to use ‘Host’ in my connection. Thanks for your reply. I have the same problem, can you explain me how did you fixed it??? Thanks!!

normal , I posted a wrong ip address for best security :) ok I post screen if easiest :)

Even after resetting to factory default, I still can't make it work. I determined that my company's MAC address filtering is to blame, anyway we have found a way around this. Thanks!

Could be a residual ARP in the next hop )ISP Router( or the like. I would set it up how you like and restart everything you could. Past that, i would check logs and double check the config.

Honestly don't know … Might be possible with a WAN and then a LAN rule. I don't think that is going to work either as it is still going a different route with NAT transforms as well.

Both are transparent proxy configuration as it will forward http connections to squid.

That would not really be nat, other than the normal nat from your private to your public on your wan. Are you setup for explicit proxy - ie your browser pointing to the proxy or just transparent.  Which intercepts http/https normally. Normally if you just want to allow access to specific ports outbound, you would do that on the lan rules.  Be default the rules are setup to allow anything from lan segment to go to any port outbound. You create specific rules to allow http, https, pop, smtp, etc.  And then create a block rule after those that blocks anything else.

1. Why are you using port forwards on your openvpn interface? That isn't something that I'd expect to work, honestly. If you have proper routing on the VPN there is no need for port forwards there. 2. http://redmine.pfsense.org/issues/1882