Thanks! It looks like it's working now.

@sullrich: I had no idea how to fix it but googling tcp auto scaling windows 2003 came up with: http://thesystemadministrator.com/The_System_Administrator/Tips_&Tricks/Disable_TCP_Auto-Tuning_to_Solve_Slow_Network(Vista)/ thanks for your reply, but i don't think that this is the issue. It doesn'tmatter which OS the Client has. It can be an Win2003 Server, an XP Machine oder a Vista Box. Everywhere its the same Problem. I can receive some secondes every package from my Server - an then no –> the Server doenst response. if i took my m0n0 back, with the same conf --> everything work fine. Firewall lets every package pass - nat is configured well. what can i do to help you ? greets, sash sashxp@gmail.com

Cheers, I made that change, and I think I understand a little more about NAT now into the bargain. Thanks Ben

Search the forum for NAT Reflection. You will not be able to do reflection for 1:1 hosts but you can port forward on the WAN interface on top of the 1:1 items for the needed ports. Alternatively setup another DNS server on the internal network and point the internal hosts to it which overrides the DNS IP address to the internal address.

We have 42 subnests. Here is a example of some. nat (inside) 12 10.12.0.0 255.255.0.0 0 0 nat (inside) 13 10.13.0.0 255.255.0.0 0 0 nat (inside) 14 10.14.0.0 255.255.0.0 0 0 global (outside) 12 external ip netmask 255.255.255.224 global (outside) 13 external ip netmask 255.255.255.224 global (outside) 14 external ip netmask 255.255.255.224

RTP is being tranfered over either UDP or TCP. http://en.wikipedia.org/wiki/Real-time_transport_protocol Since it usually uses a port from 16384-32767 you need to take a look at your webcam config and select the right on for your FW rule. VNC uses RTP too and there is no problem with is over pfSense. So i suspect you just used a wrong port in your FW-rule.

Nope, switched it back to https and left the port default and all i get when i got the the web address is a white blank screen. Which I am assuming is the pfsense install.

Hello thanks, made a change to the configuration. Now the SSL-VPN is in the DMZ and surpringly it now works. Tried to check all differences. Only special thing was a suspicious DHPC reservation for the laptop. Still wonder what the problem was.. regards, Hans

Just a dumb question but in the "Interfaces -> Wan" settings are the "Block private networks" and / or "Block bogon networks" check-boxes checked??? If so try un-checking them and see if it helps… gm...

I personally have the same problem and I do understand the uncheck VPN default gateway option on the client. However there are employees not capable of doing this there are peoples that simply would prefer to connect and browse their site from VPN without unchecking that option in pptp VPN, … Bottom line is it should be pretty simple to add to the code an option to allow proxy arp on the pptp interface. Is there a way to do it ?

And if you rearrange the drawing a bit you'll see: ┌───────┐                      ┌───────┐              ┌──────┐    –WAN--┤ pfSense ├--LAN---(WAN)--┤ untangle ├--(LAN)--┤ switch ├--(local subnet)-...               └───────┘                      └───────┘              └──────┘ You said you can reach the Untangle box's SSH port from local subnet side. Are you sure it is reachable from its WAN side (or whatever it's called) as well? This would explain your problems at least. But to be honest I don't know a thing about an 'Untangle' box so maybe I am totally off track.

Dude you're doing it all wrong, this exact same thing happened to me a few days ago coz of what I've read in the monowall documentation regarding 1:1 NAT, it's not complete. Although you can mix port forwarding rules with 1:1 NAT, it is not necessary as long as you have that many public ip's available. This is the procedure you should follow: 1. Create the Virtual Ip's. 2. Mapped the public ip's to the virtual ip's you've created in step 1. 3. Finally create firewall rules allowing a particular service that your server will be providing, (let's say that is a  web server) create a firewall rule in your WAN interface allowing tcp port 80 from anywhere to the private ip address of the web server. e.g. TCP  *  *  192.168.1.2  80(HTTP)  * You also ought to read this thread about 1:1 NAT -> http://forum.pfsense.org/index.php/topic,6965.0.html HTH

Finally I was able to make 1:1 NAT work by following this thread –> http://forum.pfsense.org/index.php/topic,6965.0.html maybe I was stressed out yesterday that it's why I can't make it to work coupled by the rustiness of not using pfSense for more than a year.  ;D now if only I can make the DNS point to correctly in order to receive mails, currently only outgoing mails is working.

Well the reason i was asking is because Skype was not working on my Mac Mini and I suspected everything.  I could hear fine but could not manage to get my microphone audio to work.    It appears that the newer Mac Minis do not have audio input working even though there is a plug labeled audio in. So I shoulda figured, my little BSDy is working like a champ as usual. Skype audio from the test call was excellent.

i have some experience with pf from running a openbsd firewall, but not to much on the NAT/RDR part, im guessing a rule like this would suffice: rdr pass on $wlan_if inet proto tcp from any to any port www -> $squid_server port $squid_port But i wanted to do it in the web gui as you said, configuring from the command line is not supported :( Is there a file or something that can contain custom rules?

Fixed it with the below settings … Sorry I just did not know how to make static ports actually work. [image: 4.GIF] [image: 4.GIF_thumb]

It's not a firewall rule you have to setup to make your adapter use always the same connection, you have to manually create a NAT Table for this IP address, see the NAT configuration page and the "Outgoing" tab. This is probably your problem, the load balancing try to swing the connection from WAN to WAN, but get blocked by the firewall 2/3 of the time. You shouldn't have to create firewall rule to allow communication to Vonage, as long as you have a rule that Allow any connection from lan to WAN. Give the outgoing NAT a try, I can't help you more than than I never played with outgoing NAT I always used Automatic, because I only have one WAN.