Just wanted to follow up here for others who may want to know the cause, rwoo bought support and we walked through everything. 3 separate main issues here. The VIP on WAN was conflicting with another device. Turning the packet capture on WAN up to "Full" detail and checking the destination MAC address showed that. That's a good thing to keep in mind when troubleshooting things along these lines, seeing something in a packet capture on WAN doesn't necessarily mean it's being directed to the firewall, if the destination MAC isn't the firewall's (i.e. you have an IP conflict), then it isn't going to pick up that traffic and forward it. The DMZ server's default gateway was wrong. the host firewall on the DMZ server was blocking off-subnet traffic, so you could browse to it from the same subnet, but not from any other network. Took care of those and it's all working.

well I didn't actually match them up but I see ftp packets out of your lan interface re0 11:01:19.581950 IP pool-173-57-104-76.dllstx.fios.verizon.net.62942 > 192.168.1.119.ftp: So its forwarding the packets.. So if your ftp server is not seeing it, then its not pfsense fault I posted up the easy thing to do for tcpdump..  So you don't see all that other noise, just ftp.  And vs the name resolution you just get IPs tcpdump -i 4 -n -q port 21 -i 4 or -i 3 is my index of my interfaces - you can use either name or index, I used index.. You can view your index off of tcpdump -D example tcpdump -D 1.gif0 2.ovpns1 3.vmx3f0 4.vmx3f1 5.lo0 I can look a bit deeper, but I see packets on your lan interface going to your ftp server on port 21..   But I did not see any response - so that tells me either your ftp server never saw the packets, or he is not answering. In my lan sniff you see the server answer back 07:08:34.396528 IP 192.168.1.4.21 > 173.236.157.143.19998: tcp 0 I don't see anything coming from ftp back – so its not getting the packets your putting on the lan interface of your pfsense, or its just not listening on 21, or it has a firewall blocking? But clearly you can see from your sniff of your re0 that packets to ftp on 21 were put on the wire.  So pfsense did what you told it to do, forward the packets to that IP on its lan interface.

Looked like it was working to me.. -I can connect from LAN with dyndns adress (my.domain.com) with active, but NOT passive connections. -I can connect from LAN with dyndns adress (my.domain.com) with passive AND active connections. So now what your telling me its a requirement that you have to use passive from the internet and the lan both? Why not just leave the helper and set your profile to use active connection?  If you at some location that it does not work then change it to passive. Or why don't you just go back to smoothwall ;) If you would setup your local dns to resolve that fqdn to your private IP you would not have any issues.  You could still use the fqdn be it inside or outside.

use manual outbound NAT specifying the source IP/network you want to NAT.

Resolved, thank you very much for the idea, I put the PPPoE and pfsense as a bridge only modem briedg. 100% Valew.

@Brak: If you use Firefox, install FoxyProxy addon, and set up a white-list filter for .youtube.com to go through the proxy. Not network wide, but achieves what you are looking for I think. Xbox with XBMC doesn't have this option and some others, too, like my Android etc.  ;) The other options are well known, but not the way to go.

You can actually enable loggin on the NAT rule. Go into rules and find the rule you created and click the blue I. If you then try and connect to it externally you can see in the system logs weather its being denied or allowed. I had a problem almost simular to this, but its probably different. I used to have a watchguard being my Zyxel router, and i swapped the watchgaurd for a PFSense virtual machine. And when i forwarded some public ips to some natted nodes, it wouldnt work! all i had to do was turn off my Zxel and to flush out the cache and turn it back on again woolaaa! Good luck mate!

http://forum.pfsense.org/index.php/topic,47384.msg248969.html#msg248969  ;)

Will do, thanks for the tip :D I will post again in a few days if I figure out how to me it work!

have any like this issue. such as other vm box system.

Read http://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F marcelloc is suggesting to use Method 2: Split DNS Note that pfsense's "NAT Reflection" doesn't work for UDP (yet).

First package release is out.  :) http://forum.pfsense.org/index.php/topic,47210.msg248054.html#msg248054 I did some changes to improve stability and checks for nanobsd or normal install.

@shon: I was able to accomplish this but without having to select the "Manual Outbound NAT rule generation".  The rule was good enough to do the job. Thanks!

thank you, I'll try the floating thing

Canefield, It can be done in pfsense for sure. Haproxy will be easy to configure as it has few configure options and can do http as well https balance/failover. Do not foget firewall rules to Allow traffic. ;) Att, Marcello Coutinho