Hi MageMinds, Thanks for your post - enabling NAT Reflection solved the problem! Regards, James.

Did you change the sip.conf on Asterisk server to match the externip=ww.xx.yy.zz setting to your static ip address ? If not you should remove externhost and replace it with externip. Then I have more luck forcing static nat in the Outbound NAT settings on the pfSense. Here my config, the first line tells the router that my Asterisk Server need static nat the second one was auto generated by pfSense, and the third one is only a copy of the autogenerated one to allow my WLAN to NAT. [image: outboundnatht3.jpg] Here you can see detail of the configuration of the NAT for my Asterisk server located obviously on 10.77.2.5 [image: asterisknatam4.jpg]

You can't disable the filter without disabling NAT, they're done by the same thing. If you don't want to filter traffic put allow all rules on all your interfaces.

If you need to do so in the future, follow the steps here. http://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

SOLVED ! BUT …. I made a mistake on firewall rules, allowing subnet 2 traffic on the wrong interface (I have a third OPT LAN interface on the border pfsense) The showed setup is OK, but I have found another problem (It seems to be a known issue) : Traffic shaper doesn't work when Squid on transparente mode is enabled. Searching the forum I cannot find a real solution. Any suggestion?

Yes, here are some images of the how it looks in the WebGUI: http://www.pr0p3r.net/img/dump/1.gif http://www.pr0p3r.net/img/dump/2.gif http://www.pr0p3r.net/img/dump/3.gif http://www.pr0p3r.net/img/dump/4.gif Maybe it helps you? ;) edit: no other router before CC. Berfore I had a router instead of CC but I was not happy with the statistics and other things when I used that one. edit2: When i was in the logs for the firewall i got this (when I clicked on one of the red-cross) http://www.pr0p3r.net/img/dump/5.gif Thats wrong?

@GruensFroeschli: You can use aliases in all field with a red background. So yes you can use aliases in the normal port forwardings. Advanced outbound NAT is the "outbound" tab. Thanks Gruens

In case this helps anyone - I did not have any issues going from ProxyARP to Carp type of virtual IPs. But when I switched back (because I never could get the FTP helper to work), the Cisco router did NOT pick up on the new MAC address, and traffic wasn't being routed properly.  I had to call my ISP and have them clear their ARP cache for that particular IP.

Ok, here's how I got around these problems, hopefully this is useful to others who are having problems with FTP. For my windows servers, I'm installing FileZilla FTP server, and dumping IIS.   FileZilla is easy to configure a port range (vs registry hacks for IIS), and easy to configure it to use whatever IP address you want when announcing its external IP address (IIS can't even do this).   Additionally, it has a setting for NOT using this external IP when talking to internal clients!  So internal FTP still works. For linux, I just added these options to my vsftpd.conf file.  Most other linux FTP servers will have something similar. pasv_address=<my_external_ip></my_external_ip> pasv_min_port=<my_beginning_port_range></my_beginning_port_range> pasv_max_port=<my_ending_port_range></my_ending_port_range> Then I opened that port range on the firewall for hosts that need FTP. Still, I am hoping the FTP stuff is working better in the next release of pfSense, then we may be able to move our other public subnet over from the Cisco box to a pfSense box.

Setup VIPs for your additional IPs, add 1:1 NAT for the servers.

@Cry: Well, that'll cause you problems (as has been said in many other posts don't do that). It should be: Modem –- WAN - pfSense - LAN --- Switch ---> server, desktop yeah thats how it is now and it works good, i had to set the modem to PPPoE and do the same for pfsense.

Edit: I see what I did wrong.

http://devwiki.pfsense.org/FTPTroubleShooting keyword for a search: passiv +ftp Last but not least. Why not switch to SFTP. The why The how

I have fixed the issue.  In case anyone else is ever curious about setting up my solution you also need to add firewall rules to permit traffic from your other networks to pass through.  Thanks for everyone's suggestions on this! -Mark  

Here is what ports I open for asterisk and mine works flawlessly. UDP -> 5060-5082 -> SIP UDP -> 10000-20000-> RTP UDP -> 4569 -> IAX2

rsync through NAT shouldn't be an issue. This should help. http://doc.pfsense.org/index.php/Port_Forward_Troubleshooting The pfSense download mirrors rsync to a server behind pfSense NAT.

Not with host headers. Might be something you can do via policy routing using other specifics.