Well that ship has sailed for 2.0.x, which is why you have to do it manually in the rules. For 2.1 it's debatable. If someone can sort out the syntax for calling socat via inetd equivalent to what netcat is now, then it can be fixed up without too much trouble.

I would have the webserver and email server on a seperate subnet and create a DMZ so if your servers get hacked they cant get onto your computers on your LAN. goto NAT and create an inbound rule for each required port to your servers WAN TCP * * WAN address 25 (SMTP)  IP Of Email Server 25 (SMTP) WAN TCP * * WAN address 110 (POP3)   IP Of Email Server 110 (POP3) WAN TCP * * WAN address 443 (HTTPS) IP Of Email Server 443 (HTTPS) WAN TCP * * WAN address 80 (HTTP)  IP Of Web Server 80 (HTTP) Once done you will need to create some firewall rules between your LAN and DMZ and then from the DMZ to the LAN Are you having two WAN connections due to the different WAN IPs?

Quick Question your LAN subnet is 192.168.1. but your NAT inbound port forwarding is going to 192.168.20. is your trixbox on a VLAN / Different subnet to your IP phones if so why? also are you using IAX for one of your trunk providers (Port 4569)

@luke240778: Thanks for the reply, but dont understand fully.  Are you saying not to do a 1:1 and just port forward public ip:80 to local ip:9080 ? You can keep the 1:1 and add a port forward to do just that, the port forward will override the 1:1 for traffic matching it (otherwise dest port 80 would go to dest port 80).

Answered my own question by flipping through the NAT portion of The Book. All that is needed is to enable NAT reflection, which is disabled by default. And the DNS solution I have used in the past is called "split DNS". But if you can set up a proper DMZ using external addresses, this is a non-problem.

LAN rules have nothing to do with communicating WAN side to LAN side, that's WAN rules. You didn't mention if you added the required static route on 1.1, guessing you're still missing that.

Just to finish this thread, I managed to solve this problem with help from my phone device manufacturer. It turns out there was a mismatch between the firmware version on my device and the sip platform that my provider uses. It appeared to be something very small that caused the provider to think there was no response from my end. So, in the end, it wasn't related to pfsense at all. Solved.

i somehow got it to work using NAT 1:1 to map specific internal address to the outbound address on the interface i want based on destination network. it seems more like a walkaround and not really elegant.

Brain fart! Got it to work. Its the source port that should be 20. Not the destination port.

If your DNS server really does require NAT reflection, it won't work. NAT reflection is broken for UDP, and has been for years. (Check redmine.pfsense.org)

That is awesome!!! I adjusted it within the specific port forward and it is now working. Thanks very much for such quick and CORRECT advise :) Stu

Yes I understand but how do I combine both outbound NAT and port forward for the same packet ? Do I first create an outbound nat rule to convert src:10.1.1.30 dst:10.1.1.49 to src:192.168.1.13 dst:10.1.1.49 and then add a port forward for 10.1.1.49 to 192.168.1.91 ? What would the way of doing this and what interface would the NAT/PF rules be on INT, EXT ? And how would the incoming packet be natted, would it be the same in reverse or would I need to configure new nat rules for this ? Sorry if this is basic stuff but I am completely new to pfSense way of doing nat (and to be truthful the documentation does not help much). Thanks

The window size and scale factor is set by the source host, you can't change that. That's unlikely to be relevant. Port forwards don't rewrite source ports. There isn't a difference network-wise between allowing traffic in from the Internet on 1:1 and rdr (port forward). Either way you're strictly rewriting the destination IP (though with rdr you can rewrite the destination port that's only if it's diff outside vs. inside, eg from the Internet you have a web server listening on port 8000 but it's on 80 internally, that doesn't sound like it's the case here, and wouldn't be relevant either way). That's different for outbound traffic but that's not what you're looking at here.

@chpalmer: Looks right. Try changing your virtual IP to alias… Other should be fine but the change may jar things... http://doc.pfsense.org/index.php?title=What_are_Virtual_IP_Addresses%3F this did it.  Thanks.

no, works fine. not enough info there to provide any suggestions, aside from check the usual: http://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

Hmmm I looked at the HAproxy package a while ago for pfsense but saw no way to configure it as a reverse proxy with a single front end and multiple back ends based on a URI, at least in the pfsense UI. Is there a way to change the configuration on the CLI or somewhere else I'm missing to do this?

sorry if i didnt make it clear, ill try again The application will consult on the database information, just it. Then it will go trough the pfsense and then pfsense will redirect to the databases on the other side. i just aks if pfsense can redirect to more than 1 ip on the same port.

For IP aliases you can use either /32 or the actual mask on that network, doesn't matter either way if there is another IP on that subnet on the system. If that's the only IP in that subnet on the system, then it must have the actual mask you're using for that network.