@bdwyer: @MTHead: So it sounds like what Cisco calls "PAT" is what I've always called "port forwarding" (and, in fact, in the pfSense GUI it's the "Port Forward" tab on the "NAT" page.) No, that is static PAT.  When he is talking about internet traffic and PAT, he is referring to dynamic PAT, where the translations are done automatically for your users so that the web host can communicate directly to the correct computer behind the source gateway.  A static PAT mapping would be mapping a certain port to always go to a certain internal host, akin to what your talking about for port forwarding. If you want to reference to pfSense, the closest thing to explain what dynamic PAT is would be the Firewall : NAT : Outbound page. Thank you for that!

Just found this over in the Routing / Multi Wan This might be of some help but seems like I have done this before. http://forum.pfsense.org/index.php/topic,43107.0.html

For the record, let me explain why this happened (now that I think I understood it!) In this case, by selecting a gateway on the LINK interface, it became a "WAN type" connection. As the hint says on the Outbound NAT page, "rules are not added automatically for WAN type connections". In this particular case, the LINK interface is actually both a WAN (when failover gets activated) and LAN (always). So a manual Outbound NAT rule is needed in order to allow translation between the WAN and the LINK subnet (for monitoring to work). I also had to delete the LAN to LINK outbound NAT rules as my config involves just routing over there. Cheers!

Glad to hear it! Feel free to contribute to the Documentation yourself now that you've figured a few things out :)

I have no glue why it is not on the official documenting but atleast here in forums it is told several times.

I wonder if you're seeing the same issue that I am? (reported here: http://forum.pfsense.org/index.php/topic,42980.msg222115.html) My workaround was to force outgoing FTP traffic across the default gateway.

This issue has a workaround:  http://forum.pfsense.org/index.php/topic,42971.0.html It was due to a MAC address issue on the LAN interface. Click the link above for a workaround. Note: Posted for historical reasons, in case someone has the same issue I did.

Hello all, i m also facing port forwarding and nat problem its not working. my configuration is go to firewall - nat- port forward - interface wan - protocol -tcp - source- any, port range - any destination - wan address- port 3389 , target ip 172.16.17.145 target port 3389 - save . then i have to create a rule for lan from any to lan . also its not working anybody can help me for this . Thanks alot in advance. A Mohan Rao +91 98260 61122 mohanrao83@gmail.com

Thanks for the suggestion.  You were mostly right :). The problem was IP block list.  Evidently one of the lists doesn't like apple.

Sorry, I got interrupted just now. Your new OPT1 interface is just like any other interface but you do have to create rules to allow VMs access out from the DMZ - to send emails for example. You say you have port 80 forwarded to your mail server?  I assume you have port 25 as well or just made a mistake there. If you only have one external IP address then you would only be able to forward any given port to one destination IP (VM or physical machine on your LAN). I can't answer the PS3 problem but, by default, anything on your LAN should have unrestricted access to the WAN. Hope that helps. Just re-read your post and realized you might be asking about creating a physical DMZ - which I assume would be connected to your PS3.  Not too much difference between that and creating a virtual one - you just need to join a physical NIC to that vSwitch.   It would still be OPT1 to your pfSense VM.

@mhill: It looks to me like the reason it was not working was the source port specified as 2222.  The source port should not be specified, just the destination, right? Yes, source port is not usually known. It is normally any (1024 to 65535).

Yesterday, i tried to connect from Windows 7, the same result :'( For example i installed ISA2006 and tried to connect and-WOW-connect is done! I think, that my pfSense dont wanna to work whith me((((

Hello all, Finally I solved this reinstalling the pfSense box. After configuring the NAT rules, the FTP works again, well, I had to disable the ftp proxy (in the previous installation it didn't exist, perhaps because it was a beta upgraded to final, buy i added the tunable debug.pfftpproxy and set it to 1, without luck). Now it's working, but no idea why changing the LAN address broken that. I've not restored a configuracion, only "just in case", and configured everything from scratch.

I think a screen shot of your rules for WAN and LAN would be more effective for most people or clean up that rule dump with new lines.

@marcelloc: I would prefer to use same set of ports on alias and specif nat for different source and dest ports. I think I understand: if you are port forwarding the same ports then you use an alias.  If the ports are different, you specify them one-by-one. It seems that's the only way to do it.  I was just curious if the behavior I saw was a coincidence, or if it was operating as designed. –jason

I created my NAT as 1:1 but I needed port forward for certain ports. Plus I used aliases for firewall rules for simplification of firewall rules (grouping ftp server, web servers and the like). So for the few that needed port forward, I didn't want it to create an associated firewall rule as the rule already existed as a part of a larger alias rule.