Change the outbound rule from automatic NAT to manual, and then check the box that says "static port" and see if that fixes it.

1:1 NAT requires putting a private IP on the server and mapping that to a public. If you have to leave public IPs on the boxes, you would want a filtering bridge. Trendchiller has an excellent doc on this here: http://pfsense.trendchiller.com/transparent_firewall.pdf It may be getting a little dated, I haven't done a bridge setup in ages. If you have private IPs also, the most common solution is to create a DMZ bridged with your WAN.

Yes, the pfSense box is a DHCP and a local DNS server. While your suggestion did not work for me, I think I know what's wrong though. I connected to the network with my linux laptop and did some debugging. It turns out that the DHCP server passes some extra domain stuff to their DHCP clients upon registration. I did a cat /etc/resolv.conf file and got: domain mydomain.com search mydomain.com nameserver 192.168.1.1 If I do a nslookup of an existing domain, it returns a proper IP address while doing the same for a non-existing domain i.e. www.somedomain.org returns www.somedomain.org.mydomain.com, and the IP is that of my router WAN interface. Manually removing the domain and search lines from resolv.conf seems to fix the problem. With nat reflection turned on I get proper errors now. Now I just have to figure out how to fix the DHCP not to serve those domain lines.

@GruensFroeschli: I'm not sure how pfSense could interfere with that, since it only sees the TCP connection and has nothing to do with the http request. Are you sure this is not a missconfiguration on the server? I'm not, but since I can successfully access the website this way when on the same lan, there should be no reason not to access from a remote client. Is there?

Thanks anyway ! Asking me to post the Outbound rules made me think !

I have the same problem… never works.

I am having trouble with getting PFsense to forward the original IP adress of the client, instead of the PFsense LAN IP…. I have followed the guide, but to no avail.....

@GruensFroeschli: Yes you can do that with VIPs. With advanced outbound rules you even can get the same functionality of 1:1 NAT where the traffic originating from the server appears as if from the VIP. Can you give me an example?  What advanced outbound NAT settings would need to be set up to do that?  Because for VPN purposes, I'm certain that the traffic would need to come from the VIP.

In your setup, you are only forwarding port 5000 to port 746 on the inside, is that the only port you wanted to forward?

See reply to other post. http://forum.pfsense.org/index.php/topic,19664.0.html

Thanks for the reply. Since I am knew I thought I had to use NAT. Can you explain how I can your PASS rules?

I will try that when I get home, thanks.  I am not sure how that will work though, since the tivo needs to get to the outside world and does have a private IP, so won't "no nat" keep that from working?

No, I am sorry, but it seems that UPnP is not working for me. Anyone else maybe can help me ? Come on, guys, there must be some way of doing this.. Please don't let me down :)

@capsmet: PS: I considered trying sipproxy, however because I'm running on an embedded system I can not run packages. Update to a 1.2.3-RC3 snapshot, then you will be using NanoBSD and can install packages, including the SIP proxy.

By default, pfSense will not NAT between internal subnets. You can customize this behavior by using manual outbound NAT rules.

fixed. not sure how, just glad it is! i've made so many changes in the last 2 days over so many reinstalls i can't be sure what fixed it but nevermind

Oh sorry i forgot to mention that i am using pfsense 1.2.2 Thu Jan 8 22:30:24.

Replying a bit to my own post, but could this be done by simply externally rewriting the xml backup file and then restoring it? Presumably that would require a service restart? Thinking aloud, if that was done as part of a cluster would the new restored file then overwrite the configs on all FWs? That would possibly mean that the service as a whole stayed up all through the process? If that is all true then it would be possible to write an offline rule editor that could build the config from a DB produce the XML and then restore/export it to the firewalls? Any thoughts about that?