AWE CRAP!  Just noticed there is a whole forum on here devoted this  :'( Well…that was a day i will never get back...but on the bright side...I did learn alot ! Perhaps there is still some value in updating the NAT doco. though as others may also not immediately assume there is a game forum on here which holds the solution.

I have the same question, I can't figure out how to edit the firewall rules for using an external separate transparent Squid machine :) In the old fashion, there is a need for a prerouting, a postrouting and a forward rule. I have tried the same scenario as ndboost mentioned above, seems not to work. P.S. i've tried this on pfsense 2.1 L.E. As I discovered on http://lukasz.cepowski.com/devlog/10,setup-squid-as-a-transparent-cache-proxy-for-lan, it seems that there is a bug with forwarding one port into another in the same lan subnet. And indeed I've checked the squid access log, and it was empty all the time (meaning it received no connections at all). Following the guide on that page, i cannot follow it because port 80 is already used by other process, so I must find a new workaround (or setup a new computer … more energy consumed haha)

I used an IP Alias.  I think that might be where the confusion came from in the terminology.

Not sure. Problem was definetely there already before we switched devices. Also, swhitching devices somehow helped. Seems that broken connectivity (either upstream device or pfSense down) caused 1:1 NAT to stop working. But why?

Try advanced, nat, enable reflection for 1:1 nat.

And have you read and used https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

Look on the packages listing. Squid3 can do reverse proxy, there is modsecurity package for reverse proxy.  I believe HAProxy can do it as well.  Varnish maybe, etc.

You're right, but until now I only thought about the scenario with NAT, because I didn't knew better and did not take the possibility to do it without NATting in account. Perhaps I will rethink the whole thing, but as for now that everything works great I don't have to bother about it. But thank again for the hint!  :D Greets Gunnar

From the looks of your update on Twitter this is working and it was an upstream ARP cache issue. The bug you noted that I entered would only break access from a LAN 1:1 IP to another system in the WAN subnet, general access to the Internet is fine in that case. The customer who noted that bug had a server outside the firewall in the WAN subnet and he couldn't communicate with just that one server.

Sure that works fine. In that case it's best to bind OpenVPN to Localhost or your LAN IP, and setup port forwards for udp/1194 and udp/53 both on WAN to point to the actual IP where OpenVPN is listening (e.g. 127.0.0.1 for localhost, or your actual LAN IP) The newer versions of the OpenVPN Client Export package have a choice for automatically building a config that includes all port forwards targeting a VPN server, so it could create a client configuration for you to use that would try both ports.

Well when you actually provide some details to work with, happy to help you solve your issue.

And is your wan IP address even public? Details dude - I can not help you without details..    Is your firewall on 192.168.1.4 allowing for rdp from OUTside its own network segment.. Are you seeing traffic on the wan of pfsense – these things to verify and check, that take all of couple of minutes to do..  For all I know your 192.168.1.4 is not even listening for remote desktop. Or your behind a double nat and pfsense has a 192.168.2.14 address on its wan, etc..  Maybe you have lan rules that are blocking traffic outbound on 3389. You need to go through the troubleshooting info and figure out what your doing wrong.  If you can not figure it out from that, if you PM me I would be happy to team viewer into one of your boxes that has admin rights to the pfsense and take a look see.  tmrw is turkey day so that is out - but rest of the weekend is open for me.. Happy to take a look if you want.

Yeah, I got 3com 4210 switch. I'll try that asap. Thanks for the tip :)

That is not working?  I resolve the address just fine.. I can PM you the IP it resolve too.  But timing out connecting [image: failing.png] [image: failing.png_thumb]

"Why are you questioning me having 4 dsl connections when you know nothing about what ISPs have to offer here?" Because I work for a large IT Services company - and don't buy slow ass dsl being the only option.  Are you in the middle of nowhere?  And if you actually needing a specific speed, how you are doing it is NOT the correct way to go about getting it ;) We have already solved your issue - and as typical it had nothing to do with any sort of issue with pfsense, just lack of understanding basic networking ;)

The same problem here. The same environment.

[UPDATE] Today I have tested NAT 1:1 on a fresh test (i.e. built from scratch, with just essential things) ( 2.1-RELEASE installation… No problems arose!  :-[ Hence I have begun to search the problem elsewhere... So, I went back to test pfsense "production config" and I disabled 1.Manual outbound NAT: no results 2.LAN failvorer: no results 3.default gateway switching:OK!!!!!!!!!!!!!!!! NAT 1:1 works from internet also!!! Moreover... I reverted (with config history) to "original" config (before disabling outbound NAT) and now it's still working :o :o :o :o :o :o Really a big "mystery"