@GruensFroeschli: Can you show screenshots of your firewall and NAT rules? Did you enable advanced outbound nat? I have not touched the outbound NAT settings; it's still set to the default of Automatic Advanced. Here are the pictures (I have tried it with and without the aliases) [image: pfsensenat.jpg] [image: pfsensefirewall.jpg]

Thanks! That makes sense. Jens

http://faq.pfsense.com –> http://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F :)

I'm sorry. I should have specified that I tried using port forwarding from both the WAN port and the virtual IP I created for my web server. No luck. I also tried a packet capture to see if the packets were being rejected by the firewall for some reason. After trying the website multiple times, I stopped the capture only to find no packets were captured. I think it has to do with my ISP.  I have a call in to them, but they don't work on weekends. Go figure. Essentially, I followed all the setup guides and then a guide I found at: http://www.digitalphotomac.com/PFsense/VirtualIP/, which seemed to explain exactly what to do.  But it still didn't work. The only difference was I am using a Cable ISP and he is using a DSL provider.  Seems that is the problem. I may have to purchase a different ISP to make this work, but that would be a last resort. Thanks for your help.

Here is the openvpn config File I'm using. So unless it is in some other file, I'd say no.  ;) client dev tun remote xxx.xxx.xxx 1149 proto udp tun-mtu 1500 fragment 1300 mssfix float reneg-sec 86400 resolv-retry infinite nobind persist-key persist-tun route-method exe route-delay 2 ca xxx.crt cert xxx.crt key xxx.key tls-auth xxx.key 1 cipher AES-256-CBC comp-lzo verb 4 ns-cert-type server auth-user-pass inactive 604800 ping 5 ping-restart 60

Ok i think it works :)

Hi GruensFroeschli! It looks like that PC has hardware problems (I'm hoping it's the hard drive) and that I'll need to reinstall… The web interface stopped responding for no reason and many of my logs seem to contain binary data which I'm pretty sure is probably not normal... I'll test 1:1 NAT as soon as everything is back to normal... Thank you! Nick

The picture did not show the entire network.  pfSense shares a LAN with a SonicWall that we are trying to replace and the SonicWall has more VPNs to more networks.  Trust me, I wouldn't just add static routes for the fun of it.

So I have managed to get a test VPN connection up to a SonicWALL TZW.  I have NAT reflection enabled to make the xxx.xxx.xxx.77 address accessible from inside the firewall.  The problem that I am running into now is that I can only bring the tunnel up from the TZW side by pinging the xxx.xxx.xxx.77 address from inside the LAN of the TZW.  I need to be able to bring it up from the pfSense side as well, but I am unable to ping the remote network (192.168.41.0/24) of the TZW from pfSense. It seems like maybe an outbound NAT rule would take care of this, but I don't know how to set it up correctly, and it doesn't seem like I can make a outbound NAT rule for my IPSEC VLAN.  Can anyone help? Below are some screen shots of my current working configuration to help you better understand my setup. CARP Address on the WAN where VPNs will terminate.  This must be CARP as opposed to Proxy ARP because it needs to be pingable.  [image: WAN-CARP.jpg] VPN with remote network set to WAN-CARP address [image: IPSEC.jpg] Port forwarding xxx.xxx.xxx.77:22 to 192.168.41.50:22  This si working.  I can SSH to xxx.xxx.xxx.77: from the TZW and connect to a shell at xxx.xxx.xxx.50:22 [image: PortFwd.jpg] And here is the firewall rule that lets the port forwarding work.  [image: Firewall-1.jpg]

@rmathew1973: The problem I'm running into is that we have a block of ip addresses (xxx.xxx.xxx.228 to xxx.xxx.xxx.239). Very interesting definition of problem. May we see screenshots of your NAT and rules?

@Eugene: What a day! the second smart network for today… routers do not split networks.... instead hub/switches do... pfSense with one interface. Wonderland! or it's secret screenshot from the newest Cisco's IIN design. Dear tendabiru, how do you define the word 'proxy' in you magic world? Dear Eugene, the picture is from my friend network design, but now  i can not contact him again. the router is mikrotik (indoor router) Routerboard RB450, maybe that wrong design? but i just need to know, how to NAT,  if mikrotik forward everything from(port 80) to pfsense squid port 3128(maybe use two ethernet card). i'm sorry, i'm just want to learn for how use this machine / pfsense. i mean proxy is squid and squidguard in the pfsense. i'm sorry because didn't give explain in the good word, then i change my header question. regards

Can you post screenshot of "NAT to forward HTTP traffic to a web server" here?

http://forum.pfsense.org/index.php/topic,18094.0.html

1. Switch on DHCP on Lan2 2. create a rule like: Proto    Source    Port    Destination    Port    Gateway    Queue    Schedule    Description *          LAN2      *            *            *          *          none

What are you trying to access? The webGUI? An NAT forwarding? In this case: did you read http://faq.pfsense.com ( http://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F )

anyone? please?  ???

Yes of course not. On the WAN are already things running like the webGUI. 1:1 NAT is to be used with additional IPs. If you want to forward ports from the primary WAN you need to use normal port forwards. (Here the same: you cannot forward already used ports). Why do you need 1:1 NAT anyways? Usually you can do it more elegantly with the use of aliases.

ok, OCS 2007 could use NAT, DNAT and SNAT. With R2 those requirements changed. R2 will work with SNAT. Configure it with 1-to-1 and give it a try. Enable NAT reflection if you have problems. Try it and let us know. If we get it working, we will document it.