I did get this working now in version 2.2.4 after doing a lot of packet captures and troubleshooting.  I have another different virtual IP address setup for IPsec and L2TP (both enabled) on the pfSense box itself.  When I disabled those it started to work.

This leads me to believe that there might be a bug is IPsec & L2TP services on pfSense.  When enabled they will not forward udp port 500 traffic on other virtual IP's.  Once disabled they do pass the traffic.

Access the system BIOS (F2 during boot, after POST) and inside the Power menu there's an option "After Power Failure".
Set it to "Power On" to keep in on all the time from the moment it's plugged into a power source. Or "Last State", so the system returns to the state it had before the power failure, that could be on or off.

I'm thinking it may be a KVM issue

Glad you got it sorted.  When looking for help always talk about the network connected to the WAN as a WAN. People around here cannot read minds! (No matter what they tell you)  :)

Huh??  Why do you have the same lan network on pfsense as your production network??

You have 30.0/16 on your production network and then you show 30.0.0/?  This would overlap.

i was about to post a conclusion to this thread to thank @johnpoz for his valuable help !!
Anyway, all the experience in this thread was already stated in the post above by the original problem solver @johnpoz.
thank you so much @johnpoz and everyone else who have replied in this thread.

Did you go through the port forwarding troubleshooter.. Just logged into a guy to help him out and he had captive portal enabled.. Yeah that keeps stuff from answering ;)

https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

What concerns me is you would even attempt to swap the ports - that tells me not really understanding the process at a basic level.

That's all there is? Nothing being NATed there, which means your port forward isn't matching the traffic. Given the source and destination is fine, maybe it's on the wrong NIC? Needs to be on the source interface of the traffic.

Oh, I thought you were testing externally like your friend.  If you're on the same network then you can't access it using it's public name or IP unless you have NAT Reflection enabled, or are using internal DNS that resolves the host to its LAN IP address.

The only way that sort of setup will work is if there is an additional firewall on each leg doing the extra NAT. As the others said, you can't have the same subnet on multiple interfaces in that way. Not only does it require NAT like you show, but that NAT has to be performed by something on the other end of the lines.

If each of those additional sites had their own firewall and the "main" pfSense unit only saw your 172 subnets that would work fine, but something has to be in place to ensure that no one device sees the same subnet on multiple interfaces.

tanks for your answer i will try and let you know :)

removing the limiters is worth a try to confirm or deny whether that's the issue.

The bug in question is https://redmine.pfsense.org/issues/4326

In most configurations, that only applies to using limiters on WAN rules. Where you're using reflection that's more complicated as you're doing NAT on LAN and there are more possibilities for that to apply.

It's not clear exactly what you're after but most likely what you seem to be working toward can be accomplished in one of two ways:

Use 1:1 NAT for the local client IP address to the WAN IP address Use Hybrid outbound NAT with a rule to perform static port outbound NAT from the local client IP address

If you want secure you want OpenVPN not port forwards.

I never reported back; but i was able to solve it by wiping pfSense and starting over, again, from scratch.

Sometimes the pfSense configuration just gets itself into a state.

Wiping the configuration and starting over has been the solution on four other occasions. Sometimes the UI must put the config files into an inconsistent state.

Weird.  Most modern hypervisors will complain loudly if the virtualization extensions aren't enabled.

thanks for you answers. Now it is working :)

No, not here. Totally OT plus wrong forum.