@johnpoz: Are you other forwards working? If you feel your rules are correct - then first thing to do is actually verify the traffic is reaching pfsense.  Its quite possible your isp just started blocking it?  Verify pfsense sees the traffic, verify pfsense sends on the traffic.. So quick It really is a no brainer – click, and done..  Post up your nat and wan rules.. attached is my nat, wan rule that nat created and quick test by doing simple sniff on wan interface and lan inteface. edit: just noticed your other post that is working ;)  Guess no need for this post then - but hey can leave it for the next guy on how to do a simple sniff and verify traffic seen at your wan and then sent out your lan. This simple test would of pointed you to your web server right away, since you would seen the packets go out to it, but it not answering.. Haha thanks again for the detailed reply.  That's a cool looking site too, I was using nmap from a cell phone, but that looks a lot more convienent :) Thanks!

I don't see how it can be done with normal routing. You could setup PPPoE on pfSense and connect to it from the host. Then on pfSense 1:1 NAT the virtual IP address to the host's PPPoE client address. By default the host will then use pfSense for Internet traffic including other subnets it doesn't have explicit routes to. Double NAT should also work fine. Add a second IP address on the Cisco router and 1:1 NAT the virtual IP address from pfSense to that. Then in the Cisco router 1:1 NAT the second IP address to the host. This will work fine for incoming connections. You'll need to setup appropriate conditional routes on the host and the Cisco router for outbound connections.

@KurianOfBorg: Reset pfSense and try again. This should work out of the box after creating a WAN connection using just the wizard. Yea, I figured it out once I saw that you thought everything looked good.  I went back to the simple basics…and then I realized, that I was a moron and forgot to set the DNS server in the General Setup.  Plugged it in and wouldn't you know it...it works.

I tried above procedure, (1) installing squid transparently (2) configuring upstream server name and port.  It works for http but for https it is not stable. I think the problem is squid configuration or pfsense's firewall rules. If it is pfsense's firewall, please give me some head up. I am totally new to pfsense firewall.

Well I managed to get it to work with 1:1 NAT using VIP (as IP Alias) and I just sat the firewall rules (for 1.1.1.195). [image: vw9deTg.png]

@raphaelns.sup: @KurianOfBorg: Why have you set the destination instead of source? Where Do I Put the IP? I'm very lost how to do this. Well! I finish it. I changed the rule to source and is working now. Thanks!!!!

@dav63: Hi, I have fixed the issue: 1. Added NAT Outbound Rule for port forwarding with range for passive ftp, I defined same range in  proftpd server configuration file (50000 - 60000) 2. Disabled proxy ftp helper from kernel now it works perfectly! Thxs for help! It worked in the beginning but did some changes and I can never get it to work again. Fowards range from 2000-2020 > ftp server port 2000 ftp server listen on port 2000 and passive is 2000-2020 I also have set debug.pfftpproxy = 1 version of pfsense 2.0.3-RELEASE (amd64) built on Fri Apr 12 10:27:56 EDT 2013 FreeBSD 8.1-RELEASE-p13 Can't get it work. EDIT…. it seems that when I did an update it was corrupted.. did a fresh install it was good to go.

I did the same on my ESXi box, management interface on a private vSwitch with pfSense public IP facing. I'd suggest that once you get the pfSense box configured how you like it that you set the disk to non-persistent mode and that in the VM startup/shutdown options you set that VM as being the first to automatically start upon reboot.  With non-persistent set then if anything gets messed up in pfSense, bad configuration, it gets hacked, etc. you just have to remotely reboot the entire machine and you should come back up with a good working setup.

It was not a setting in PFSense, I found that I did not match my rDNS to the HELO address, rather to a requested hostname.  Sorry quys, thanks for the help. "I could not figure out how to delete thread."

Sounds like a broken network architecture. Without full details of both sides I can't provide any useful help.

I happened to have been confused by that error message yesterday also! The error text is fixed in 2.1-RC1.

I just had the exact same issue. I removed the rule for port = 0 and the "replay TV" and "start over" features of my CATV provider are now working fine :) Actually it seems to be from the same provider than darkm00n… I will try to contact my ISP/CATV provider about this issue but I fear they won't care about it :-\

What has a X-Box on a monowall to do with pfsense?

@kejianshi: Time to consider another option I guess: http://images.clipartof.com/small/1045996-Cartoon-Black-And-White-Outline-Design-Of-Businessmen-Communicating-On-Can-Phones-Poster-Art-Print.jpg Could I order 60 more of those please?

I'm glad thats helpful.  I'm interested to see how it turns out.

@kejianshi: If this is the case and nothing else on the network is plugged into that DSL modem/router the world isn't magically being to be able to get into this guy's network.  Not unless he does something really dumb.  This is what PF sense is.  A firewall.  If exposing its WAN port to the world were a security risk there would be no point in using pfsense. Huh? You just repeated what I said. You do realise that it's entirely possible to plug the modem into the LAN switch and still configure a WAN (PPPoe) on pfSense? It's secure only if you isolate the bridged mode modem by plugging into a physically separate port on the pfSense box or using a VLAN. This is the whole reason off-the-shelf routers have a dedicated WAN port. There is no need for a separate WAN port if you simply want it to act as a NAT gateway for PPPoE. Off-the-shelf routers can technically dial PPPoE even if the modem is on the LAN interface but they don't allow it. pfSense does allow you do bridge the modem on the LAN interface and still use the PPPoE connection as the WAN interface.

1.  If you are inside your own LAN and you are trying to access your server page using its private IP pfsense is dishing out, it should work. 2.  If you are inside your own LAN and you are trying to access your server page using public IP, it shouldn't if NAT reflection is off.  If NAT reflection is on and you are inside your own LAN it should work, however this is no guarantee its actually working from the outside since your ISP could block the port.  3.  Its possible your ISP is blocking 80? 4.  Assuming none of the above are the problem, is the computer on port 192.168.0.201 running a firewall? Also, there are people here in the forums who don't like to do this, however if you are going to need 443 and 80 for other servers, I'd change the ports my pfsense gui operates on.  While there is a command to allow pfsense and another host to basically share a port, I wouldn't use that solution.  I'd keep my pfsense interface exposed only on the LAN side of the network and move the interface port to non-standard ports and leave 80 and 443 free for my other servers. If you want to know if things are working from the outside but don't have a second connection to try from handy, a cellphone browser with a data plan is good for that or you could use browsershots.org