Please post a screenshot of your WAN firewall and port forwarding rules.

Please post your WAN firewall and NAT rules

The output of "pfctl -sn" and "pfctl -sr" are identical for the two boxes, so the rules are being created correctly.

I've tried a packet capture on the system that isn't working and this is what I get with Full detail.  Unfortunately, I've no idea what it all means.  IP addresses have been censored but otherwise the data is unmodified.  Traffic is from tcping on the port in question (ms-sql-s) but I tried a different port forward (https) and that isn't working either.

09:56:25.709841 00:21:62:94:fe:00 > 00:90:0b:11:57:2e, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 114, id 30438, offset 0, flags [DF], proto TCP (6), length 52)     50.19.www.xxx.62525 > 208.176.yyy.zzz.1433: Flags [s], cksum 0xb5c6 (correct), seq 410772004, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 09:56:27.718749 00:21:62:94:fe:00 > 00:90:0b:11:57:2e, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 113, id 30647, offset 0, flags [DF], proto TCP (6), length 52)     50.19.www.xxx.62526 > 208.176.yyy.zzz.1433: Flags [s], cksum 0x6be1 (correct), seq 3962460245, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 09:56:28.706720 00:21:62:94:fe:00 > 00:90:0b:11:57:2e, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 114, id 30650, offset 0, flags [DF], proto TCP (6), length 52)     50.19.www.xxx.62525 > 208.176.yyy.zzz.1433: Flags [s], cksum 0xb5c6 (correct), seq 410772004, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 09:56:29.726159 00:21:62:94:fe:00 > 00:90:0b:11:57:2e, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 113, id 30651, offset 0, flags [DF], proto TCP (6), length 52)     50.19.www.xxx.62527 > 208.176.yyy.zzz.1433: Flags [s], cksum 0xe7e1 (correct), seq 2554933305, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 09:56:30.716128 00:21:62:94:fe:00 > 00:90:0b:11:57:2e, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 113, id 30654, offset 0, flags [DF], proto TCP (6), length 52)     50.19.www.xxx.62526 > 208.176.yyy.zzz.1433: Flags [s], cksum 0x6be1 (correct), seq 3962460245, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 09:56:31.736067 00:21:62:94:fe:00 > 00:90:0b:11:57:2e, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 113, id 30657, offset 0, flags [DF], proto TCP (6), length 52)     50.19.www.xxx.62528 > 208.176.yyy.zzz.1433: Flags [s], cksum 0x9363 (correct), seq 3848746904, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 09:56:32.727035 00:21:62:94:fe:00 > 00:90:0b:11:57:2e, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 113, id 30662, offset 0, flags [DF], proto TCP (6), length 52)     50.19.www.xxx.62527 > 208.176.yyy.zzz.1433: Flags [s], cksum 0xe7e1 (correct), seq 2554933305, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0[/s][/s][/s][/s][/s][/s][/s]

Sorry, I use neither. Try asking the question in the Packages sub-forum.

Thank you very much for your help.

I have created a test rule based on instructions found in Docs, and it works OK, it just required a reboot of the Alix to work.

I will post back if any other problem occur.

Best

Kostas

please help me to access my PublicIP with my upnp port from lan

Hi, thanks for your answer.. i have one interface where my WAN is connected.

What i did to make it work was that i added the public ip address as a virtual IP on the WAN interface.
After that i added a 1:1 nat where the external ip was the public (ofc :-)) and the internal was the internal ip of the box i had on the inside.
When that was done, i added a firewall rule to allow everything to the internal ip.

That works…

OMG - I'm such an idiot.

I'm not sure why the default rules didn't work for me, but I figured out what my problem was.

I looked at another pfsense install's default NAT rules and realized that the default outbound NAT rule for LAN to WAN is applied to the WAN interface…. (just like the hint says - Duh.)

Anyway, I switched the rule from LAN to WAN... and it works exactly as I expect it would.

Honestly, just explaining the problem on the forum helped me understand the problem enough to reach a solution on my own.  Thanks for just giving me a place to figure this out.. lol.

I love pfSense. :)

-Kevin

Hi Jannus,

I think I'm having the same problem as you.  See -> http://forum.pfsense.org/index.php/topic,41743.0.html

Did you ever get this issue resolved?  If so, what worked for you?

Thanks!
Kevin

Yep, I've got a gateway set on my LAN interface and on my MNG interface (management vlan interface).

Well, I wonder how this could have worked without breaking anything.

I have removed both the default GWs leaving only one interface-bound GW on the WAN.

Thanks for help!

Peter

You cannot transparently proxy https.

You can put a hostname in, and from memory (a search of the forum will tell you more) it is resolved every so often to see if it has changed.

It may be simpler to use a VPN.

@tommyboy180:

Pro Tip: If you create a NAT entry first a firewall entry will be created automatically for you by default.
The pfsense GUI has a small learning curve. Most firewall distros don't have a separate NAT entry GUI than the firewall GUI.

This only works for port forward NAT rules. With 1:1 NAT you still have to create the rules.

Thanks all, the release version 2.0 has solved my problems…. =)

On the subject of NAT before IPsec VPN (not supported in pfsense 2.0), you can also read http://redmine.pfsense.org/issues/1855

I created the ip as a virtual ip and not in 1:1 and then created NAT rules, and set the outbound nat accrdong to the need I had. It did work AFTER i rebooted the ISP modem in this fashion. I suspect it will also work in 1:1 as well. I feel like there should be a big fat sticky note somewhere on 1:1 and modems and arp (as in sticky or note in the pfsense gui)…

marcelloc> very interesting, I'll dig into that!

Now everything is ok, calls in all directions…fine tuning on: voicemail,codecs order, redirection,call transfert, pickup call...

create proxy arp or virtual ip for every single ip you have.
1:1 transfer any trafic but only one client/server(unless using server loadbalancing)
with portforward you can decide what trafic you want to server have and can use multiple servers(ex. port 80 -> server1, port 25 -> server2 etc.)