Dude - remove all your forwards.  Enable UPnP - does it work now?  What parts are in use.

Disable UPnP and put in the forwards manual.  Or just leave UPnP on.. You do not need both for it to work.. either UPnP will work, or you correctly forward the ports.  You do not need both.

In Outbound NAT you can add manual rules - I would think you can add rules with
source IP = internal IP of the server
destination IP = any
translation address = the public IP you want

At least that will translate the internal IPs to the desired external ones.
But I suspect the traffic will still all go out the default interface. Your ISP may or may not accept that???

I wish I could help more but I've never configured a reverse proxy.

Or just check Diag>States.

Thanks Derelict!!!!!
The Changes were:
NAT Rules - Static configuration from my LAN 172.16.0.016 to my Public IP.
Rules:
. If I want to reach any IP from my LAN Network, the firewall must be return the traffic to the switch.
And also I must be change the LAN from 172.16.9.0/24  to 172.16.0.0/16.

After these change my network are function correctly!!!!
Very thanks!!!!!!!!!!

Thanks. I'll give it a go. Told you….I'm new to networking and especially pfsense.

so you have some rule on your wan that would block specific networks?  Or your port forward..  Post up your wan rules and port forwards.  Is there some route on it that would have it going the wrong place for specific networks?

Can not ping it even..  Do you have ping allowed on your wan rules?  Doesn't ping from other locations either.

Sure looks like double nat issue to me as well, pfsense has 192.168.2 address on its wan?  You don't specifically show that.

As tjsummers points out, your best option is to remove the double nat, ie bridge your isp device so that pfsense has public on its wan.  Or stop using lame ass software that does not support dns ;)

Hi,

installed the haproxy-package and changed all LB-Jobs to the haproxy.
Now everything is working fine again!

i need that the user will type 'ssh root@10.0.1.200' … so that the proxy will be transparent

Here's some things to look at.

A packet capture is a real help with SIP.  You'll see your internal IP address in the "From" field.  Unless your SIP device has the capability to add a "VIA" field with your external router address, the far end typically will look at the SIP "from" field and send it there.  Unfortunately, that is the internal private address.

One of the things Sipproxd does is rewrites that field so the return traffic knows to go back to your router IP address.

Set your device for options keepalive to say 30 seconds.  This will keep the state up and will allow the incoming traffic in.

I had to re-boot to make my bridge work correctly after I installed it.  YMMV.

Make sure you make an outbound firewall rule allowing that device to all on its new interface.

Good luck!  :)

And you don't need to change outbound NAT - what you did will not break anything, but it won't help either, and when you add more LANs you would have to remember to add the manual outbound NAT entries for them.

As Derelict says, post some screen shots of the Port Forward and firewall rules.

I have attached the diagram. I guess I have messed up somewhere in firewall rules and NAT rules.
My firewall rules are something like this

WAN
Proto: -IPv4 TCP
Source: IP address (x.x.x.240) of the system from which I remotely access pfsense.
port: *
Dest: Ip address of pfsense x.x.x.216
port: 443
NAT IP: x.x.x.216 (Pfsense IP)
NAT port:: 443

LAN:
Proto: IPv4 TCP
Source : *
Port: *
Dest: !LAN Address
port: 443
NAT IP: x.x.x.193
Port:3128

I am able to access pfsense box via WAN but I am not able to access DHCP/NAT server behind pfsense eventhough it is having public IP.
Any idea where I am going wrong.


Thanks Palmer.. That did the trick!!

Cheers

Did you try adding a rule on the outbound nat page?
Try (Manual Outbound NAT) adding a rule on the interface in question wit the source being the internal IP/32 and the NAT addressing being the public IP they are using. Move that rule before the other rules.

Sorry for the lack of proper terms.
The SIP adapter / client I use behind pfsense on a fios connection had to have its re-registration times cut from 3600 to about 60?
I didn't see a keep alive option on that one. 
Of course "recheck" isn't an option.

This was a change in behavior 100% related to pfsense though.  Minor annoyance.  Easily handled.

BTW - The reason I was looking at this old thread again is because my son wants to use my xmpp server there for video/audio behind pfsense / NAT.

Figured it out.  Just needed to use a STUN server.  Thanks.

can lan1 and lan2 use the internet?

So running on virtual?  is the lan1 rules the default or did you create them?  Do you have any floating rules?  So 2k3 has no firewall, not even 3rd party antivirus/firewall suite?

Does it have a gateway set to pfsense an IP? Same for you lan1 devices.

Issue I have seen when users create rules is they they think its any any, ie source is any and dest is any but they have protocol set to tcp or tcp/udp which would not allow icmp (ping)

What do you have for Firewall - NAT - Port Forward?