Thanks for the replies. I got it working but I am not sure how. I was sniffing with wireshark and in the midst of my troubleshooting it started working. Did not change anything in the firewall config.

The router was working correctly as well. It was sending out ICMP packets that were getting a response and the ones that were not getting a response exactly the same way.

One key thing that I forgot to mention in my original post is that this is a cable connection.

Since the time the problem mysteriously fixed itself I have tore down the whole setup a couple of times and rebuilt it. And I have been able to reproduce the problem but not with consistency.

One thing I found that fixes the problem every time is rebooting the cable modem after I am done creating all the VIPs. Any VIP that did not exist when the cable modem was powered up has a random chance of working. But if I reboot the cable modem after creating the IP then it would work every time. I did not sniff the wire to see if the modem was somehow ping sweeping my CIDR block to see which IP is live and which is not. It wouldn't make sense for it to do that.

In any case, I'll post back if I find anything concrete. Right now my troubleshooting is not conclusive but at least I know how to get it working.

What a great product BTW. Very impressed.

Try this:

http://forum.pfsense.org/index.php/topic,1528.0.html

You know what, I am an stupid. I just remembered I did not tell the spacific rule itself to log, I just had logs in general on… Dohh... Anyway I am in the process of rebuilding it now due to crashing for some odd reason after the 11/6 snapshot was put on.

When I am done I will remake the rules and what not from scratch and maybe it will work now, I dont know... :)

If not I will post back with my findings as I only have one more day to get this thing working. :(

If anyone else can think of anything please let me know,

But am I correct in assuming that making the rules like I did it should just pass all traffic going to the 5 public IPs to the 5 local on the DMZ and it will be upto the hosts/devices to firewall? That is what I am after. I know I can do individual ports but I just want EVERYTHING allowed on these 5...

UPDATE Guess I am dead right now... The 11/6 snapshot is broke it seems or at least for me... Posted my problem in install/upgrades... I keep getting random reboots. So cant finish playing with this until that system stays up. :)

I am new to all this myself but my understanding, someone correct me if I am wrong, is that when it is unchecked the box makes random ports for the outgoing connections. This is more secure because say if someone was following your traffic they would get lost in it because it changes the port number.

If you check that, it will force it to use the same port number.

Some things dont like the port changing like that but a lot of home routers do it even…

Hope that helps, maybe someone will chime in if I am off..

Hello guys!
Well, I reinstalled my pfSense, and still have dual-wan configuration, but now I configured it with static WAN IPs (for WAN and OPT1).
Now everything works fine. So at this time I setted up in modem-router mode my ADSL modems  ;D
But the problem is that the modem router is not able to handle so many connections …
I plan to install 2 old PCs for router only (pfSense or other ...)
So with static WANs configuration, based on tutorials it's all OK  ::)

Your problem was not the "static port option" but more that you forgot to follow the note which is on the AON-page.

Note:
If advanced outbound NAT is enabled, no outbound NAT rules will be automatically generated any longer. Instead, only the mappings you specify below will be used. With advanced outbound NAT disabled, a mapping is automatically created for each interface's subnet (except WAN).

–> you have to add your outbound-NAT rules manually.

To avoid such problems you could create a single rule with as source "any".

Turn the static port off and see what happens. It may fix it, if those phones don't require static port. That's the only reason it would work in a default 1.0.1 and not 1.2.

So you're saying the server won't know it has any public IPs at all, it will simply have multiple private IPs?

That could pose issues as the server runs cPanel and may get confused if it's unaware of what it's public IP is. Then again it might work great. I'll have to try that, I can't come up with any other ideas…

Thanks!

Hi!
I've found that generally access to server from behind the same NAT is impossible. Does new version of pfsense solve that problem? Is it problem only with BSD or under linux is the same?

Regards,
Hans

ok then..  ???

any foolproof method to fix the FTP entry one last time anyone? :)

Other than the management WEBgui: NO.
And you don't want anybody but an admin to surf to a firewall.

On the other hand, under the hood is a FreeBDS 6.2 install. You can do whatever you want…

I think the pfSense server redirects the port 21 traffic to its own server, and not to NAT. I see this when I nmap scanned the server from WAN, where port 21 is open to the pfSense server itself all the time

Thank you very much -)
Especially I liked "port is a port" -)))

I apologize for the length of my post.  I was trying to give as much detail as possible.  I hadn't actually checked back on this topic until today but I did want to let everyone know I have managed to get the interface working, just not quite in the configuration I wanted.

I had to leave my Netopia configured the same as it was previously - establishing the PPPoE connection and doing the default NAT, with its ethernet interface set up as a gateway.  PF I set both interfaces to a static IP and the WAN pointed to the Netopia gateway.  I've also left the automatic NAT rules on, not even messing with NAT.  Everything works!  I can see traffic going across the nice graph interface and have begun to try a couple of firewall rules.

It isn't quite the way I was hoping the configuration would be set up, but so far since it's working fine and I've been able to test blocking addresses locally, it seems to be doing the job.  Many thanks.