You should start by finding out what you're trying to do: Try to read up what NAT is and how it works. Google and wikipedia can help you there. You should also read the tutorials and howtos in the links you can find here: http://forum.pfsense.org/index.php/topic,7001.0.html After that draw a diagram of what you want, which IP you have where and what should have access to what. If you have that: Set up VIP's where required (your additional IP's) and create port forwards or 1:1 NAT entries depending on your needs.

Well the IP i am connecting to is the internal IP, yet due to the way the server software works (it is an incredibly alpha peice of software that really doesnt function exactly as it should) it does cause some wierd router loopback issues, even though i am connecting to the internal IP. So im not sure whether it is the client machine that has the loopback issue or the server. Either way i shall try NAT Reflection asap as this sounds exactly what i am after. Thanks for the tip.

Thanks for the help :)

Would it be better to set this up with a vip like this? Pubic IP                             l           Rouer DMZ to 192.168.1.10/24                             l               WAN 192.168.1.10/24 pfSense1, dell2400, DHCP  LAN 10.0.0.100-10.0.0.200 Freeradius, Captive Portal                   LAN 10.0.0.1/24                             |                             |                             |–-wired Switch (Local Network at my house)                             |                             |                   WAN 10.0.0.3/24 pfSense2, bridged ap, Wrap With Omni On Roof                   LAN 10.0.0.2/24                             |                             |                             |wireless                             |                             |                   WAN 10.0.0.132/24 pfSense3 client, DHCP 192.168.2.100-192.168.2.200, Radius Client, Captive Portal, Omni Directional On Roof                   LAN 192.168.2.1/24                             |                             |                             |Switch--------wireless linksys 54 G (Acess Point for client computers)                             |                             |                   10.0.0.10/24 VIP   Win XP DVR Server (http Camera Server)

The source port is a random port chosen by the operating system in range 1024-65536 unless specified by the client.

Hope this helps: http://forum.pfsense.org/index.php/topic,7001.0.html And there are several posts asking the same in this this NAT forum.

Try rebooting the external router after you have added the proxy arp vip. Some routers have a nasty habit of keeping an arp cache that won't clear without a reboot (or waiting couple of hours) and will prevent the vips from working.

http://forum.pfsense.org/index.php/topic,7001.0.html

Is it possible to assign addtional IP Adresses in a range vi CARP; f.e. 10.10.22.0/25 ? Can I use all the adresses in this range for 1:1 NAT using there the same mask ? FBI01

You've set as source port range por 477. Meaning if a client should be able to connect he has to connect FROM port 477. This will never happen. Set the source port in the firewall-rule to any and it should work.

I'm french and I started a new topic into the french section of the forum. http://forum.pfsense.org/index.php/topic,11104.0.html

If they did a static mapping, then you should be able to manually configure your nic with those parameters, it doesn't matter if you get the ip address from the DHCP or if you configure it manually, as long as you make sure that you doesn't setup an IP address that might be used elsewhere, if they did a static dhcp assignation that means that only you can get that ip address, you should be good to go in manual configuration. Unless your ISP have some sort of weird setup that would prevent you to make this, but I doubt it. MageMinds

Thinking it out I think 1 Inbound NAT rule will suffice.  I will test this once I return to work. Thank you so very much for your quick responses, you have helped me out so much.

That's only partially true. You can force traffic from specific clients out a VIP with AoN rules. But 1:1 NAT is bidirectional. Meaning if you use a VIP in the 1:1 NAT rule you dont need additionally a AoN rule to force it out the VIP –> This already happens automatically. Otherwise it wouldnt be 1:1 NAT. If you use normal NAT forwardings from a VIP, you need AoN rules for outbound traffic if you want it to appear from the VIP.

So, I changed physical networks over, and things didn't seem to go as smoothly as I had hoped. when I physically separated the servers from the real .1.1 gateway, things appeared to work. I had set up individual firewall rules for each server to pass all packets in the WAN & out the LAN, and I could ping them from the rest of the world. However, they could not ping out. (or pass any traffic out) However, if I change their gateways to be the pfsense box (.1.2) then they can pass packets out & things appear to be properly filtered coming in. am I just crazy? :-) Thank you!

While it is possible to manually add rules to the firewall from the shell, it is a very bad idea. Stick to the web interface. If you are interested in the mechanics, this is a good place to start: http://home.nuug.no/~peter/pf/en/

There is no port forward involved here … To access the DMZ you only have to have a firewall rule that allow your LAN to communicate with your DMZ and since it's a DMZ you might want to restrict that access to only specific ports to specific server in the DMZ, but there is NO NAT involved here ... Only firewall access rules ... For starter create a rule that allow everything from LAN to DMZ, usually there is a default rule in pfSense that allow the LAN to do anything, go into the DMZ firewall rules and create a similar rule to allow it to access anything...

I think that could be done using twice the hardware … You will need two sets of pfSense to make it work ... LAN1 <-> pf1 <-> pf2 <-> Internet <-> pf2 <-> pf1 <-> LAN2 The two pf2 establish the VPN and the two pf1 will be configured to route traffic into the VPN. Please note, that I haven't tested of tried that, this is only an idea to make this work, but there's no guarantee that it could work... If the problem is that the trafic get into the VPN before the NAT in FreeBSD, the idea is to force the NAT before the VPN using a different router.