Thanks, it works fine!

Yeah - ISPs… Those crazy guys - Just tuning our ports on and off at a whim.  It gets tiring. If its not blatant blocking its shaping that denies bandwidth thats bought and paid for. You should bill them $50 per hour you spent chasing your tail because of them.

Games usually use fixed ephemeral ports. That's why static NAT is required for some games. Thats also why it's sufficient to simply specify either just the source port or a known server and destination port in a rule and enable static NAT. Either one will match the game and will not randomise the ephemeral port.

Unfortunately due to some poor design decisions made before I arrived, certain servers need to go out via certain virtual IPs, so manual outbound NAT is a requirement in my case. @phil.davis: As well as having NAT rules to apply NAT on the way out to the public internet for packets with private IPs, you need firewall rules with the gateway specified to direct particular stuff to particular WANs. That completely answered my question, thank you very much for the help!

Not possible yet. May be in the future. See http://redmine.pfsense.org/issues/2118

Bump^

You have probably inadvertantly broken something on the LAN firewall or NAT that you haven't broken on OPT1.  Glad its working.

Yes First go to the Siproxd page "Services/Siproxd-Registered Phones". Look at the "Registered Phones" tab.  Your ATA's should show up there. Next look at "Status/System Logs".  Your phone calls will register there. siproxd[41072]: plugin_logcall.c:120 INFO:ACK Call: 36xxxxxx16@sipxxxxx.voipxxxxxxx.com -> 2xxxxxxxx6@sipxxxxxx.voipxxxxxxx.com

@jimp: make sure you have no rules in the list, then switch from auto to manual, without applying, and then switch back. What you will get in the screen after the auto->manual switch is the full list. Otherwise you can poke around in /tmp/rules.debug and read them there but it's not quite so obvious as when they're shown in the GUI Awesome! Thanks, Jimp.

Thanks for the info I did block some sites and services on the firewall so i add the IP of the Server Running Jungle disk to the exception list. Its now working fine. Thanks again

http://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F

Oh - Yeah. That for sure qualifies as a firewall rule that will block FTP that comes before an allow rule… Why was that rule ever on anything other than a WAN?  Anyway... Glad its working.

Hi, i have pfsense 2.0.3 and i have the same issue: after 1 or 2 days SIP connection won't go and i must do a reset states to permit sip to connect as well. I have a manual nat (i've tried also a autoamtic nat, but same issue) with this configuration : Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description WAN  172.16.30.0/24 * * 500 * * YES Auto created rule for ISAKMP - DMZ to WAN  WAN  172.16.30.0/24 * * * * * NO Auto created rule for DMZ to WAN  WAN  127.0.0.0/8 * * * * 1024:65535 NO Auto created rule for localhost to WAN  WAN  192.168.132.0/24 * * 500 * * YES Auto created rule for ISAKMP - LAN to WAN  WAN  192.168.132.0/24 * * * * * NO Auto created rule for LAN to WAN My WAN IP's cannot change because i'm using a line with a fixed IP. Waiting for your reply, Regards.

@pingulino: or are you saying that 2.0.1 is so buggy it won't function correctly?? That's not what I've said. What I've said is that there have been relevant bugfixes since 2.0.1 (and a whole lot more of those in 2.1) @pingulino: That's scary! Running a deprecated version with known security issues sounds even more scary. You won't see any fixes there either. You can play with the -N switch for pureftpd, diff the configs etc. Other than that, no idea. P.S. Trying active FTP to a server behind NAT is completely futile effort.

Not automatically. You can backup the config.xml edit them out and restore. Or delete the rules before you remove the card. They are not placed into the ruleset so they are inactive in the config so it doesn't really matter that they are there.

IF your WAN subnet is private you shouldn't have the block rule.

Cause the costumer only routes 192.168.16.0/28, politics. Nervermind I get it. I was doing the NAT at the wrong interface, working now.

So far - i've just made openVPN as neighbor LAN (LAN - 30.0/24, openvpn 31.0/24), and for BINAT i used 30.0/23 mask - so it working. But i'm not sure if this right solution =)