The image does not show up… For no reason it is working now

Upgrading to the most recent 2.0 RC snapshot is pretty safe right now. There aren't any known upgrade programs with configurations (aside from some issues with international characters in the raw xml) and it should be OK to use in production. We're only a week or two away from a 2.0-RELEASE if we can get a couple kinks ironed out. If you want to check your config, there is a Pre-Upgrade Check package you can use, and you can also check the upgrade guide on the doc wiki (check my sig)

OK so finally figured out WTF my problem was. Disabling the FTP helper and simply making a port forward with rules (including passive) got me working. Long story short, the issue was a M$ ISA server that corporate uses as their firewall which was screwing up my TLS session with its own FTP rules (local routing).

Never mind, I was looking at the wrong PFSense box I had a source limitation.

For the firewall rules you most likely do not want to set a source IP or port. The destination of the firewall rule should be the target of the port forward, not "lan net". Go over the following docs carefully: http://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense%3F http://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

Wow, lot of information ;) My crystal ball says that your acl rules are set from outside net and not from inside to use that nat.

It's not issue in any rc i've tested, but here in common if you're asking help you should have always updated to the latest build. There are always lot of changes between snapshots. Have you updated? does this problem exists?

Only to http is needed, but in both source and destination. Are you trying to access from outside or inside network? can you view screenshots of your wan rules and port forwarding?

Will you edit first post subject with [solved] What was the problem afterall?

As i stated before, i haven't used 1:1 so i can't give you exact answer

cmb: you are correct.  I deleted those rules (the ones I had selected "do not nat" for) and that works fine.  Since the rules get auto-created when you select "manual", I had the (wrong) impression they were necessary.  Makes more sense now. Thanks, Mark

Thank you for your solution it worked. Wenn Sie Deutsch sprechen, sage ich "Vielen Dank".

Look I Have 3 wans wan1: 10.10.2.254/24 wan2: 10.10.3.254/24 wan3: 10.10.4.254/24 One lan LAN 192.168.2.254/16 with load balance. now if i port forward as Interface: lan Protocol: tcp Destination: 66.63.184.209 Destination port range: http Redirect target IP: 208.69.36.135 Redirect target port: http it work if i port forward as Interface: lan Protocol: tcp Destination: 66.63.184.209 Destination port range: http Redirect target IP: 192.168.2.254 Redirect target port: other : 8001 not work.

you don't really need both public IP's solution: to create a NAT rule to forward the request steps to take on the multi-wan: 1. logon to the multiwan device 2.Navigate to Firewall>Aliases>create new alias           i.name: yourwebserver           ii. Description: webserver           iii.Type: Host(S) , add 192.168.77.0 as yourwebserver           iv. Save 3. navigate to Firewall>NAT>port forward and create a new rule 4.Interface for the rule to apply:- (WAN) i. protocol :- TCP ii.source:- any iii. destination :- WAN Address (your public IP) iv. destination port range:- HTTP v. Redirect target IP:- 192.168.77.0 (alias: yourwebserver) vi. Redirect target port:- HTTP:8080 vii.Description:- NAT to webserver viii. NAt reflection-: default ix.Firewall rule association: Add associated filter rule x. Save

Step 1:  Go to "Status" -> "DHCP leases" and setup a static DHCP lease for the desired host. Step 2:  Go to "Firewall" -> "Aliases" create a host type alias and give it a name [Host_alias_name], use the IP for the Static DHCP lease you created in Step 1.  Save. Step 3:  Go to "Firewall" -> "Aliases" create a port type alias and give it a name [Port_alias_name], for your port range enter "1:65535".  Save. Step 4:  Go to "Firewall" -> "NAT" on the port forward tab/card add a new NAT. Interface = WAN, External address = Interface address, Protocol = TCP/UDP, External port range = from: (other) in red box [Port_alias_name] to: (other), NAT IP = [Host_alias_name], Local port = (other) in red box [Port_alias_name], Auto-add a firewall rule to permit traffic through this NAT rule should be checked. Save. It should be working now! Note if your router requires any ports for any services it will not work because you have forwarded it all to the host.  You will need to modify your port type alias to exclude the desired port.  For example if your router needs port 1000 for a service in your port type alias you will need to create one range from 1 to 999 "1:999" and another range from 1001 to 65535 "1001:65535". ENJOY!

Is there a purpose behind having two routers back to back like that? If not then I'm sure I don't need to tell you the "easiest way" ;) If you must keep them separate I'd suggest replacing those two routers with one pfsense box with three interfaces, one WAN and two LAN. Traffic between the LAN segments will only flow based on what firewall rules you set (by default nothing gets through). Using the two routers like you are there is no way for the two LAN segments to see each other, they are for all intents and purposes two complete separate networks and those routers aren't designed to do what you want.

If you remove natting and use only routing between firewalls. -* Not sure how this works, cause i haven't done this *- But it could be done via manual outbound nat and after creation of rule there is checkbox: do not nat or something similar